Bug 280068
| Summary: | security/openssh-portable: Security fix for CVE-2024-6387 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Bernard Spil <brnrd> | ||||
| Component: | Individual Port(s) | Assignee: | Bryan Drewery <bdrewery> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | CC: | brnrd, dave, einar, emaste, jason, nerozero | ||||
| Priority: | --- | Flags: | bdrewery:
maintainer-feedback+
|
||||
| Version: | Latest | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
Dang... Staged the changes to create a patch, and forgot to unstage before committing the vuxml entry. So forward in 66a620a734b489596452f342224330207c6e23b1 And backwards in 6c74a768ede70109e336be37bf3fe2ae655cd2b6 Can't revert the PORTREVISION bump. Sorry... I'm confused. You reverted the patch for the CVE? Why? I don't know why this was reverted but I am updating the port to 9.8 right now. 9.8 is more involved and risky. Please commit this patch if it is a valid workaround for now and backport to quarterly. Any update when the patch will hit latest and quarterly for those that track portable rather than base? (In reply to Dave Hayes from comment #2) It's not my port, so requires maintainer-approval before committing. (In reply to Bryan Drewery from comment #4) Currently travelling... There's https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html from djm which has an extra patch in there vs. Base. Noticed that 9.8 wasn't trivial to port, so patched 9.7 A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=7b31ce1eeeb40098b213a153e10530a196b52322 commit 7b31ce1eeeb40098b213a153e10530a196b52322 Author: Bryan Drewery <bdrewery@FreeBSD.org> AuthorDate: 2024-07-02 16:08:13 +0000 Commit: Bryan Drewery <bdrewery@FreeBSD.org> CommitDate: 2024-07-02 16:08:13 +0000 security/openssh-portable: Bring in patches for recent CVES Source: https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html PR: 280068 security/openssh-portable/Makefile | 2 +- .../openssh-portable/files/patch-9.8-cves (new) | 56 ++++++++++++++++++++++ 2 files changed, 57 insertions(+), 1 deletion(-) A commit in branch 2024Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=82c70bd1c2dbe11711390d24b0666cb31f5c4222 commit 82c70bd1c2dbe11711390d24b0666cb31f5c4222 Author: Bryan Drewery <bdrewery@FreeBSD.org> AuthorDate: 2024-07-02 16:08:13 +0000 Commit: Bryan Drewery <bdrewery@FreeBSD.org> CommitDate: 2024-07-02 16:10:56 +0000 security/openssh-portable: Bring in patches for recent CVES Source: https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html PR: 280068 (cherry picked from commit 7b31ce1eeeb40098b213a153e10530a196b52322) security/openssh-portable/Makefile | 2 +- .../openssh-portable/files/patch-9.8-cves (new) | 56 ++++++++++++++++++++++ 2 files changed, 57 insertions(+), 1 deletion(-) Thank you very much for the fix! Thank you. For those tracking, it appears the cluster hasn't completed builds and pushed out to nodes so you may want to build yourself. Is the vuxml entry wrong or the version string of the patched version?
{
"pkg_count": 1,
"packages": {
"openssh-portable": {
"version": "9.7.p1_2,1",
"issue_count": 1,
"issues": [
{
"Affected versions": [
"< 9.7_1,1"
],
"description": "OpenSSH -- Race condition resulting in potential remote code execution",
"cve": [
"CVE-2024-6387"
],
"url": "https://vuxml.FreeBSD.org/freebsd/f1a00122-3797-11ef-b611-84a93843eb75.html"
}
],
"reverse dependencies": [
]
}
}
}
|
Created attachment 251810 [details] git diff for security/openssh-portable ``` security/openssh-portable: Security fix for CVE-2024-6387 PR: Security: ``` Patch from FreeBSD 14.1-p2