From owner-svn-ports-head@freebsd.org Mon Oct 24 22:52:18 2016 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 983F8C1FEB7; Mon, 24 Oct 2016 22:52:18 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4BF0EDCA; Mon, 24 Oct 2016 22:52:18 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u9OMqHOL055039; Mon, 24 Oct 2016 22:52:17 GMT (envelope-from bdrewery@FreeBSD.org) Received: (from bdrewery@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u9OMqHS3055037; Mon, 24 Oct 2016 22:52:17 GMT (envelope-from bdrewery@FreeBSD.org) Message-Id: <201610242252.u9OMqHS3055037@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bdrewery set sender to bdrewery@FreeBSD.org using -f From: Bryan Drewery Date: Mon, 24 Oct 2016 22:52:17 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r424592 - in head/security/openssh-portable: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2016 22:52:18 -0000 Author: bdrewery Date: Mon Oct 24 22:52:17 2016 New Revision: 424592 URL: https://svnweb.freebsd.org/changeset/ports/424592 Log: Bring in upstream commit ec165c392ca54317dbe3064a8c200de6531e89ad: Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn Security: CVE-2016-8858 Added: head/security/openssh-portable/files/patch-kex.c (contents, props changed) Modified: head/security/openssh-portable/Makefile Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Mon Oct 24 20:42:15 2016 (r424591) +++ head/security/openssh-portable/Makefile Mon Oct 24 22:52:17 2016 (r424592) @@ -3,7 +3,7 @@ PORTNAME= openssh DISTVERSION= 7.3p1 -PORTREVISION= 0 +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable Added: head/security/openssh-portable/files/patch-kex.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openssh-portable/files/patch-kex.c Mon Oct 24 22:52:17 2016 (r424592) @@ -0,0 +1,33 @@ +From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001 +From: "markus@openbsd.org" +Date: Mon, 10 Oct 2016 19:28:48 +0000 +Subject: [PATCH] upstream commit + +Unregister the KEXINIT handler after message has been +received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause +allocation of up to 128MB -- until the connection is closed. Reported by +shilei-c at 360.cn + +Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05 +--- + kex.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git kex.c kex.c +index 3f97f8c..6a94bc5 100644 +--- kex.c ++++ kex.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: kex.c,v 1.126 2016/09/28 21:44:52 djm Exp $ */ ++/* $OpenBSD: kex.c,v 1.127 2016/10/10 19:28:48 markus Exp $ */ + /* + * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. + * +@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt) + if (kex == NULL) + return SSH_ERR_INVALID_ARGUMENT; + ++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); + ptr = sshpkt_ptr(ssh, &dlen); + if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) + return r;