webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-11 19:55:52 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
3494b0cebb5ae1fd030d42017cd34c0b5870a13f
bpfire/lfs/openssh
Michael Tremer 4b8f1ffb31 openssh: Update to 7.3p1 
Includes various security fixes:

 * sshd(8): Mitigate a potential denial-of-service attack against
   the system's crypt(3) function via sshd(8). An attacker could
   send very long passwords that would cause excessive CPU use in
   crypt(3). sshd(8) now refuses to accept password authentication
   requests of length greater than 1024 characters. Independently
   reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto.

 * sshd(8): Mitigate timing differences in password authentication
   that could be used to discern valid from invalid account names
   when long passwords were sent and particular password hashing
   algorithms are in use on the server. CVE-2016-6210, reported by
   EddieEzra.Harari at verint.com

 * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding
   oracle countermeasures. Reported by Jean Paul Degabriele, Kenny
   Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers
   are disabled by default and only included for legacy compatibility.

 * ssh(1), sshd(8): Improve operation ordering of MAC verification for
   Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the
   MAC before decrypting any ciphertext. This removes the possibility
   of timing differences leaking facts about the plaintext, though no
   such leakage has been observed.  Reported by Jean Paul Degabriele,
   Kenny Paterson, Torben Hansen and Martin Albrecht.

 * sshd(8): (portable only) Ignore PAM environment vars when
   UseLogin=yes. If PAM is configured to read user-specified
   environment variables and UseLogin=yes in sshd_config, then a
   hostile local user may attack /bin/login via LD_PRELOAD or
   similar environment variables set via PAM. CVE-2015-8325,
   found by Shayan Sadigh.

Fixes: #11160

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2016-08-02 16:06:35 +01:00

101 lines
4.4 KiB
Plaintext
Raw Blame History

###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007-2016 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
###############################################################################
# Definitions
###############################################################################
include Config
VER = 7.3p1
THISAPP = openssh-$(VER)
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
###############################################################################
# Top-level Rules
###############################################################################
objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = dfadd9f035d38ce5d58a3bf130b86d08
install : $(TARGET)
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
download :$(patsubst %,$(DIR_DL)/%,$(objects))
md5 : $(subst %,%_MD5,$(objects))
###############################################################################
# Downloading, checking, md5sum
###############################################################################
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
@$(CHECK)
$(patsubst %,$(DIR_DL)/%,$(objects)) :
@$(LOAD)
$(subst %,%_MD5,$(objects)) :
@$(MD5)
###############################################################################
# Installation Details
###############################################################################
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && sed -i "s/lkrb5 -ldes/lkrb5/" configure
cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/etc/ssh \
--libexecdir=/usr/lib/openssh --with-md5-passwords \
--with-privsep-path=/var/empty --disable-nls \
--with-superuser-path=/sbin:/usr/sbin:/bin:/usr/bin
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
sed -i -e 's/^#\?Port .*$$/Port 222/' \
-e 's/^#\?Protocol .*$$/Protocol 2/' \
-e 's/^#\?LoginGraceTime .*$$/LoginGraceTime 30s/' \
-e 's/^#\?RSAAuthentication .*$$/RSAAuthentication yes/' \
-e 's/^#\?PubkeyAuthentication .*$$/PubkeyAuthentication yes/' \
-e 's/^#\?PasswordAuthentication .*$$/PasswordAuthentication yes/' \
-e 's/^#\?MaxStartups .*$$/MaxStartups 5/' \
-e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts yes/' \
-e 's/^#\?UsePAM .*$$//' \
-e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \
-e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \
-e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \
-e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \
-e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \
-e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \
-e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \
-e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \
-e 's|^#\?HostKey /etc/ssh/ssh_host_rsa_key$$|HostKey /etc/ssh/ssh_host_ecdsa_key\nHostKey /etc/ssh/ssh_host_ed25519_key\nHostKey /etc/ssh/ssh_host_rsa_key|' \
/etc/ssh/sshd_config
@rm -rf $(DIR_APP)
@$(POSTBUILD)
Reference in New Issue View Git Blame Copy Permalink