Bug 233801

Summary: FreeBSD 11.x vulnerability in OpenSSH
Product: Base System Reporter: Dani I. <i.dani>
Component: binAssignee: Security Team <secteam>
Status: Closed FIXED    
Severity: Affects Many People CC: arnaud, des, eadler, emaste, freebsd, gordon, remko, secteam, sigsys
Priority: --- Keywords: needs-qa, security
Version: 11.3-RELEASEFlags: koobs: mfc-stable11?
Hardware: Any   
OS: Any   
URL: https://nvd.nist.gov/vuln/detail/CVE-2017-15906

Description Dani I. 2018-12-05 14:27:23 UTC 
https://nvd.nist.gov/vuln/detail/CVE-2017-15906 - Has not been fixed in FreeBSD 11.x

Is there a special reason for this or was it forgotten? 

These are the mentioned lines: https://svnweb.freebsd.org/base/releng/11.2/crypto/openssh/sftp-server.c?view=markup#l694

A fix is availible (and has been released with v7.6 - so FBSD 12 isn't vulnerable) - see: 
   https://github.com/vmware/photon/blob/master/SPECS/openssh/openssh-CVE-2017-15906.patch
or from OpenBSD: 
   https://github.com/openbsd/src/commit/a6981567e8e215acc1ef690c8dbb30f2d9b00a19
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2018-12-07 10:04:15 UTC 
See Also: http://lists.nycbug.org/pipermail/talk/2017-December/017442.html where eadler apparently looped secteam in
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2018-12-07 10:05:46 UTC 
HEAD received the OpenSSH 7.6p1 update in base r333389 so stable/12 has it
Comment 3 Dani I. 2019-03-12 18:36:03 UTC 
bump..
Comment 4 Dani I. 2019-12-13 13:24:35 UTC 
...
Comment 5 commit-hook freebsd_committer freebsd_triage 2019-12-13 20:46:44 UTC 
A commit references this bug:

Author: emaste
Date: Fri Dec 13 20:45:46 UTC 2019
New revision: 355731
URL: https://svnweb.freebsd.org/changeset/base/355731

Log:
  sftp: disallow creation (of empty files) in read-only mode

  Direct commit to stable/11; already fixed in newer OpenSSH in 12 and
  later.

  PR:		233801
  Reported by:	Dani
  Obtained from:	OpenBSD 1.111
  Security:	CVE-2017-15906

Changes:
  stable/11/crypto/openssh/sftp-server.c