FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=release%2F13.2.0 2023-03-17T01:38:16Z 2023-03-17T01:38:16Z Ed Maste emaste@FreeBSD.org 2023-03-16T14:29:55Z urn:sha1:43ad40718af1a94abc2fb3fb932b08a91a56f291 This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Approved by: re (cperciva) Sponsored by: The FreeBSD Foundation (cherry picked from commit 4d3fc8b0570b29fb0d6ee9525f104d52176ff0d4) (cherry picked from commit 802b483630974c2ccf2bfbc90b39102b9e47d22b) 2023-03-16T17:44:57Z Cy Schubert cy@FreeBSD.org 2023-02-07T15:46:59Z urn:sha1:0c0c89736597709fec9cffd5b3b2703470995674 When the client sends kadmind a create principal (kadm_create) request kadm_s_create_principal() returns an error before zeroing out ent (an hdb entry structure wrapper -- hdb_entry_ex), resulting in a NULL reference. Fix obtained from upstream commit 35ea4955a. PR: 268059 Reported by: Robert Morris <rtm@lcs.mit.edu> Obtained from: Heimdal commit 35ea4955a Approved by: re (cperciva) (cherry picked from commit 6a70e0b4cdc606931555cdc59dc6c8d4a3ab4e3e) (cherry picked from commit 75b5693ed73e4abb6dbb90affbf3ba56c4cdfdc4) 2023-03-16T17:44:41Z Cy Schubert cy@FreeBSD.org 2023-03-10T01:03:52Z urn:sha1:08ffa93d9f0e5c03b15e6f3326d5a0056bfc4a52 When CVE-2022-3437 was fixed by changing memcmp to be a constant time and the workaround for th e compiler was to add "!=0". However the logic implmented was inverted resulting in CVE-2022-4152. Reported by: Timothy E Zingelman <zingelman _AT_ fnal.gov> Security: CVE-2022-4152 Security: https://www.cve.org/CVERecord?id=CVE-2022-45142 Security: https://nvd.nist.gov/vuln/detail/CVE-2022-45142 Security: https://security-tracker.debian.org/tracker/CVE-2022-45142 Security: https://bugs.gentoo.org/show_bug.cgi?id=CVE-2022-45142 Security: https://bugzilla.samba.org/show_bug.cgi?id=15296 Security: https://www.openwall.com/lists/oss-security/2023/02/08/1 Approved by: re (cperciva) (cherry picked from commit 5abaf0866445a61c11665fffc148ecd13a7bb9ac) (cherry picked from commit 59c26d1a95a00418892e08341e3eae074c238680) 2023-03-02T17:43:28Z Ed Maste emaste@FreeBSD.org 2023-02-17T01:26:41Z urn:sha1:d54953d6abc9b79d94c5bd4969864fa261e35ee8 Revert to upstream's default. Using VerifyHostKeyDNS may depend on a trusted nameserver and network path. This reverts commit 83c6a5242c80160fff76fb85454938761645b0c4. Reported by: David Leadbeater, G-Research Reviewed by: gordon Approved by: re (delphij) Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D38648 (cherry picked from commit 41ff5ea22cb95deb9e7415510eb2f5f00b91537a) (cherry picked from commit 43fd77233cd49061839cfdd936cfeba53e9855c3) 2023-02-14T22:33:56Z Ed Maste emaste@FreeBSD.org 2023-02-06T21:54:56Z urn:sha1:fad31dffb4057cc606fe59a7ba2e09ca9a8a147c Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 Approved by: re (cperciva) Sponsored by: The FreeBSD Foundation (cherry picked from commit f374ba41f55c1a127303d92d830dd58eef2f5243) (cherry picked from commit 2f43f145825d0d8468f583b1686262b0f40c1fe5) 2023-02-14T22:33:56Z Ed Maste emaste@FreeBSD.org 2023-02-08T18:31:44Z urn:sha1:26b9c45c8f65dbd30bc41f1928db8cd66bb154bb Reported by: imp Reviewed by: imp Approved by: re (cperciva) Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D38443 (cherry picked from commit 1aa9a35f6361cc898e2323e1f2823771eb4161da) (cherry picked from commit 59ab4b95129dd5d64a52e0822b4fb5621bf65e9c) 2023-02-08T21:04:36Z Ed Maste emaste@FreeBSD.org 2023-02-06T16:45:52Z urn:sha1:6ad91c17b0555f0d28377f66fb9f7c8b4cee2b06 never write a name with bad characters to a known_hosts file. replace recently-added valid_domain() check for hostnames going to known_hosts with a more relaxed check for bad characters. Obtained from: OpenSSH-portable commit 445363433ba2 Obtained from: OpenSSH-portable commit 3cae9f92a318 Sponsored by: The FreeBSD Foundation (cherry picked from commit 2e828220579e3ada74ed0613871ec6ec61d669ba) 2023-02-08T21:04:36Z Ed Maste emaste@FreeBSD.org 2023-02-06T16:33:38Z urn:sha1:375bb3704d1371dec08f49cf8767f7b98162da34 its first argument unless it was one of the special keywords "any" or "none". Obtained from: OpenSSH-portable commit b3daa8dc5823 Sponsored by: The FreeBSD Foundation (cherry picked from commit 94e21add45344f0669f910ea77db499e8c892c90) 2023-02-08T21:04:36Z Ed Maste emaste@FreeBSD.org 2023-02-06T16:26:08Z urn:sha1:296ec8eae0c834088a491643a937d881bfb4b5dd Security: CVE-2023-25136 Obtained from: OpenSSH-portable commit 12da78233364 Sponsored by: The FreeBSD Foundation (cherry picked from commit fe1371e8f3d7336748d291a7360b2aacce943fb1) 2023-02-07T22:38:40Z Jung-uk Kim jkim@FreeBSD.org 2023-02-07T18:51:38Z urn:sha1:0904c29a0a116eb7d67a2d35d926580a65f0ddfb (cherry picked from commit 640242a5915761ce63205bdb0542fa3c1473c0ff)