Antonio Larrosa
da2c6cc517
* No changes for askpass, see main package changelog for details. - Fix a dbus connection leaked in the logind patch that was missing a sd_bus_unref call (found by Matthias Gerstner): * logind_set_tty.patch - Add a patch that fixes a small memory leak when parsing the subsystem configuration option: * fix-memleak-in-process_server_config_line_depth.patch - Update to openssh 9.8p1: = Security * 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387). A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon. Exploitation on non-glibc systems is conceivable but has not been examined. Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation (yes - this is a thing, no - we don't understand why) may potentially have an easier path to exploitation. OpenBSD is not vulnerable. OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=272
24 lines
1.0 KiB
Plaintext
24 lines
1.0 KiB
Plaintext
There are following changes in default settings of ssh client and server:
|
|
|
|
* Accepting and sending of locale environment variables in protocol 2 is
|
|
enabled.
|
|
|
|
* PAM authentication is enabled and mostly even required, do not turn it off.
|
|
|
|
* In SLE15, root authentiation with password is enabled by default
|
|
(PermitRootLogin yes).
|
|
NOTE: this has security implications and is only done in order to not change
|
|
behaviour of the server in an update. We strongly suggest setting this option
|
|
either "prohibit-password" or even better to "no" (which disables direct
|
|
remote root login entirely).
|
|
|
|
* DSA authentication is enabled by default for maximum compatibility.
|
|
NOTE: do not use DSA authentication since it is being phased out for a reason
|
|
- the size of DSA keys is limited by the standard to 1024 bits which cannot
|
|
be considered safe any more.
|
|
|
|
* Accepting all RFC4419 specified DH group parameters. See KexDHMin in
|
|
ssh_config and sshd_config manual pages.
|
|
|
|
For more information on differences in SUSE OpenSSH package see README.FIPS
|