--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
I'd like to upload to stable to fix #700102. (Actually I've already
uploaded this because I forgot I was supposed to ask first - whoops - so
it's in a queue somewhere already.) This is a DoS fix, but since a
member of the security team (CCed) reported it and requested an upload
to stable, I assume they don't think it's worth issuing a DSA.
Here's the diff.
diff -Nru openssh-5.5p1/debian/changelog openssh-5.5p1/debian/changelog
--- openssh-5.5p1/debian/changelog 2012-02-20 15:18:05.000000000 +0000
+++ openssh-5.5p1/debian/changelog 2013-02-08 21:39:18.000000000 +0000
@@ -1,3 +1,10 @@
+openssh (1:5.5p1-6+squeeze3) stable; urgency=low
+
+ * CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups
+ to 10:30:100 (closes: #700102).
+
+ -- Colin Watson <cjwatson@debian.org> Fri, 08 Feb 2013 21:39:15 +0000
+
openssh (1:5.5p1-6+squeeze2) stable; urgency=high
* CVE-2012-0814: Don't send the actual forced command in a debug message,
diff -Nru openssh-5.5p1/debian/patches/max-startups-default.patch openssh-5.5p1/debian/patches/max-startups-default.patch
--- openssh-5.5p1/debian/patches/max-startups-default.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssh-5.5p1/debian/patches/max-startups-default.patch 2013-02-08 21:36:08.000000000 +0000
@@ -0,0 +1,57 @@
+Description: Change default of MaxStartups to 10:30:100
+ This causes sshd to start doing random early drop at 10 connections up to
+ 100 connections. This will make it harder to DoS as CPUs have come a long
+ way since the original value was set back in 2000.
+Author: Darren Tucker
+Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234
+Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
+Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
+Bug-Debian: http://bugs.debian.org/700102
+Forwarded: not-needed
+Last-Update: 2013-02-08
+
+Index: b/servconf.c
+===================================================================
+--- a/servconf.c
++++ b/servconf.c
+@@ -249,11 +249,11 @@
+ if (options->gateway_ports == -1)
+ options->gateway_ports = 0;
+ if (options->max_startups == -1)
+- options->max_startups = 10;
++ options->max_startups = 100;
+ if (options->max_startups_rate == -1)
+- options->max_startups_rate = 100; /* 100% */
++ options->max_startups_rate = 30; /* 30% */
+ if (options->max_startups_begin == -1)
+- options->max_startups_begin = options->max_startups;
++ options->max_startups_begin = 10;
+ if (options->max_authtries == -1)
+ options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
+ if (options->max_sessions == -1)
+Index: b/sshd_config
+===================================================================
+--- a/sshd_config
++++ b/sshd_config
+@@ -102,7 +102,7 @@
+ #ClientAliveCountMax 3
+ #UseDNS yes
+ #PidFile /var/run/sshd.pid
+-#MaxStartups 10
++#MaxStartups 10:30:100
+ #PermitTunnel no
+ #ChrootDirectory none
+
+Index: b/sshd_config.5
+===================================================================
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -672,7 +672,7 @@
+ Additional connections will be dropped until authentication succeeds or the
+ .Cm LoginGraceTime
+ expires for a connection.
+-The default is 10.
++The default is 10:30:100.
+ .Pp
+ Alternatively, random early drop can be enabled by specifying
+ the three colon separated values
diff -Nru openssh-5.5p1/debian/patches/series openssh-5.5p1/debian/patches/series
--- openssh-5.5p1/debian/patches/series 2012-02-20 02:22:06.000000000 +0000
+++ openssh-5.5p1/debian/patches/series 2013-02-08 21:36:03.000000000 +0000
@@ -29,6 +29,7 @@
# Security fixes
forced-command-debug-security.patch
+max-startups-default.patch
# Versioning
package-versioning.patch
Thanks,
--
Colin Watson [cjwatson@debian.org]
--- End Message ---