]> code.ossystems Code Review - openembedded-core.git/commit
Code Review / openembedded-core.git / commit
? search:
summary | shortlog | log | commit | commitdiff | review | tree
(parent: 458d877) | patch
openssh: Backport CVE-2015-5600 fix
authorHaris Okanovic <haris.okanovic@ni.com>
Fri, 30 Oct 2015 20:12:56 +0000 (15:12 -0500)
committerJoshua Lock <joshua.lock@collabora.co.uk>
Thu, 5 Nov 2015 22:04:15 +0000 (22:04 +0000)
commit433f66ba6c79cf49e29251af0985baf5c4b79e23
tree28e5e52ea490e24161faefc385635fe21a228238tree | snapshot
parent458d877590bcd39c7f05d31cc6e7600ca59de332commit | diff
openssh: Backport CVE-2015-5600 fix

only query each keyboard-interactive device once per
authentication request regardless of how many times it is listed

Source:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u

Bug report:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5600
https://bugzilla.redhat.com/show_bug.cgi?id=1245969

Testing:
Built in Fido and installed to x86_64 test system.
Verified both 'keyboard-interactive' and 'publickey' logon works with
root and a regular user from an openssh 7.1p1-1 client on Arch.

Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
Reviewed-by: Rich Tollerton <rich.tollerton@ni.com>
Reviewed-by: Ken Sharp <ken.sharp@ni.com>
Natinst-ReviewBoard-ID: 115602
Natinst-CAR-ID: 541263
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch [new file with mode: 0644] blob
meta/recipes-connectivity/openssh/openssh_6.7p1.bb diff | blob | history
Mirror of the official openembedded-core repository