Is there a CVE for these? I fail to see updated packages or notices, are vendors just lazy again? Thanks Jan > On 1. 7. 2024, at 10:21, Damien Miller <djm@xxxxxxxxxxx> wrote: > > Hi, > > Regarding the race condition fixed in OpenSSH 9.8. A mitigation to > prevent exploitation of this bug is to disable the login grace timer > by setting LoginGraceTime=0 in sshd_config. This will however make > it much easier for an attacker to deny service to sshd. > > Similarly, the much more minor keystroke timing bug can be avoided > by disabling the feature using ObscureKeystrokeTiming=0. > > Some users will understandably prefer to patch their OpenSSH rather > than upgrade to the newest version, so here are minimal patches for > both problems. > > 1) Critical race condition in sshd > > diff --git a/log.c b/log.c > index 9fc1a2e2e..191ff4a5a 100644 > --- a/log.c > +++ b/log.c > @@ -451,12 +451,14 @@ void > sshsigdie(const char *file, const char *func, int line, int showfunc, > LogLevel level, const char *suffix, const char *fmt, ...) > { > +#ifdef SYSLOG_R_SAFE_IN_SIGHAND > va_list args; > > va_start(args, fmt); > sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, > suffix, fmt, args); > va_end(args); > +#endif > _exit(1); > } > > 2) Minor logic error in ObscureKeystrokeTiming > > diff --git a/clientloop.c b/clientloop.c > index 8ec36af94..6dcd6c853 100644 > --- a/clientloop.c > +++ b/clientloop.c > @@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout, > if (timespeccmp(&now, &chaff_until, >=)) { > /* Stop if there have been no keystrokes for a while */ > stop_reason = "chaff time expired"; > - } else if (timespeccmp(&now, &next_interval, >=)) { > - /* Otherwise if we were due to send, then send chaff */ > + } else if (timespeccmp(&now, &next_interval, >=) && > + !ssh_packet_have_data_to_write(ssh)) { > + /* If due to send but have no data, then send chaff */ > if (send_chaff(ssh)) > nchaff++; > } > > > Thanks, > Damien Miller > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev