Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[24.10] openssh: bump to 9.9p2 #26103

Open
wants to merge 4 commits into
base: openwrt-24.10
Choose a base branch
from
Open

[24.10] openssh: bump to 9.9p2 #26103

wants to merge 4 commits into from

Conversation

tofurky
Copy link
Contributor

@tofurky tofurky commented Mar 6, 2025

Maintainer: @SibrenVasse, @tripolar
Compile tested: x86_64
Run tested: x86_64
Description:

The last few commits were cherry-picked from master as the most recent (bumping to 9.9p2) contains security fixes.

Brought in a few recent bug fixes as well; I could limit it to just the version bump if needed.

Erik Karlsson and others added 4 commits March 5, 2025 23:21
@tofurky
openssh: fix killing of active sessions on shutdown
b2fd4cd 
Starting with OpenSSH 9.8 sessions are handled by a separate binary
called sshd-session

Signed-off-by: Erik Karlsson <[email protected]>
(cherry picked from commit 3ac8092)
@tofurky
openssh: Validate keys and regenerate if needed.
3cfd606 
Imitate dropbear init.d-script and make sure we
don't end up with corrupt keys.

This can happen if we use a caching filesystem,
like 'ubifs', and the DUT is powered off during
boot-up.

Signed-off-by: Markus Gothe <[email protected]>
(cherry picked from commit 69c29a5)
@mhei @tofurky
openssh: fix recursive key file removal
1fc729e 
The -r option is not required here but should also not hurt,
since it was already tested, that $key is a file.
However, to express the intent of the command more clearly,
let's drop it.

Signed-off-by: Michael Heimpold <[email protected]>
(cherry picked from commit 9ef2d15)
@graysky2 @tofurky
openssh: bump to 9.9p2
1d61c53 
Updated and removed upstreamed patch.

Highlights relating to security:

* Fix CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1
  (inclusive) contained a logic error that allowed an on-path
  attacker (a.k.a MITM) to impersonate any server when the
  VerifyHostKeyDNS option is enabled. This option is off by default.

* Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1
  (inclusive) is vulnerable to a memory/CPU denial-of-service related
  to the handling of SSH2_MSG_PING packets. This condition may be
  mitigated using the existing PerSourcePenalties feature.

Both vulnerabilities were discovered and demonstrated to be exploitable
by the Qualys Security Advisory team. We thank them for their detailed
review of OpenSSH.

Full release notes: https://www.openssh.com/txt/release-9.9p2

Signed-off-by: John Audia <[email protected]>
(cherry picked from commit 67784bf)
@tofurky tofurky changed the title openssh: bump to 9.9p2 [24.10] openssh: bump to 9.9p2 Mar 6, 2025
@tofurky
Copy link
Contributor Author

tofurky commented Mar 6, 2025

CI failures seem unrelated:

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10-SNAPSHOT/targets/x86/64/kmods/6.6.58-1-cccdb39f40ab0d2ddc0a71725516d8a8/Packages.gz, wget returned 8.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10-SNAPSHOT/targets/armsr/armv8/kmods/6.6.58-1-cecaea08e27fda43dbd5e7f323729103/Packages.gz, wget returned 8.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10-SNAPSHOT/targets/malta/be/kmods/6.6.58-1-59f68b50fea8f8f82114c6144268a718/Packages.gz, wget returned 8.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tofurky @mhei @graysky2