Re: FreeBSD Security Advisory FreeBSD-SA-25:01.openssh

Reply: Gian Piero Carrubba : "Re: FreeBSD Security Advisory FreeBSD-SA-25:01.openssh"
In reply to: Konrad Heuer : "Re: FreeBSD Security Advisory FreeBSD-SA-25:01.openssh"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Christos Chatzaras <chris_at_cretaforce.gr>
Date: Thu, 30 Jan 2025 10:44:28 UTC
Has the patch not been committed to the releng/13.4 branch because the branch is unaffected, or was it accidentally missed?

> On 30 Jan 2025, at 12:25, Konrad Heuer <kheuer.ox@ox.gwdg.de> wrote:
> 
> Hello,
> 
> on our 13.4 systems, freebsd-update doesn't fetch any new files for
> OpenSSH. Seems to be strange in my eyes ...
> 
> Best regards
> Konrad
> 
> On Wed, 2025-01-29 at 21:31 +0000, FreeBSD Security Advisories wrote:
>> =====================================================================
>> ========
>> FreeBSD-SA-25:01.openssh                                    Security
>> Advisory
>>                                                          The FreeBSD
>> Project
>> 
>> Topic:          OpenSSH Keystroke Obfuscation Bypass
>> 
>> Category:       contrib
>> Module:         openssh
>> Announced:      2025-01-29
>> Credits:        Philippos Giavridis
>> Credits:        Jacky Wei En Kung, Daniel Hugenroth and
>>                Alastair Beresford (University of Cambridge)
>> Affects:        FreeBSD 14.1
>> Corrected:      2024-07-15 18:45:16 UTC (stable/14, 14.2-STABLE)
>>                2025-01-29 18:55:25 UTC (releng/14.1, 14.1-RELEASE-
>> p7)
>>                2024-08-01 15:03:50 UTC (stable/13, 13.4-STABLE)
>> CVE Name:       CVE-2024-39894
>> 
>> For general information regarding FreeBSD Security Advisories,
>> including descriptions of the fields above, security branches, and
>> the
>> following sections, please visit <URL:https://security.FreeBSD.org/>;
>> ;
>> .
>> 
>> I.   Background
>> 
>> OpenSSH is an implementation of the SSH protocol suite, providing an
>> encrypted and authenticated transport for a variety of services,
>> including
>> remote shell access.
>> 
>> OpenSSH version 9.5 introduced a mechanism to mitigate keystroke
>> timing
>> attacks by "sending interactive traffic at fixed intervals when there
>> is
>> only a small amount of data being sent."
>> 
>> II.  Problem Description
>> 
>> A logic error in the ssh(1) ObscureKeystrokeTiming feature (on by
>> default)
>> rendered this feature ineffective.
>> 
>> III. Impact
>> 
>> A passive observer could detect which network packets contain real
>> keystrokes,
>> and infer the specific characters being transmitted from packet
>> timing.
>> 
>> IV.  Workaround
>> 
>> No workaround is available.  This bug does not affect connections
>> when
>> ObscureKeystrokeTiming was disabled or sessions where no TTY was
>> requested.
>> 
>> V.   Solution
>> 
>> Upgrade your vulnerable system to a supported FreeBSD stable or
>> release / security branch (releng) dated after the correction date.
>> 
>> Perform one of the following:
>> 
>> 1) To update your vulnerable system via a binary patch:
>> 
>> Systems running a RELEASE version of FreeBSD on the amd64 or arm64
>> platforms,
>> or the i386 platform on FreeBSD 13, can be updated via the freebsd-
>> update(8)
>> utility:
>> 
>> # freebsd-update fetch
>> # freebsd-update install
>> # shutdown -r +10min "Rebooting for a security update"
>> 
>> 2) To update your vulnerable system via a source code patch:
>> 
>> The following patches have been verified to apply to the applicable
>> FreeBSD release branches.
>> 
>> a) Download the relevant patch from the location below, and verify
>> the
>> detached PGP signature using your PGP utility.
>> 
>> [FreeBSD 14.1]
>> # fetch https://security.FreeBSD.org/patches/SA-25:01/openssh.patch
>> # fetch 
>> https://security.FreeBSD.org/patches/SA-25:01/openssh.patch.asc
>> # gpg --verify openssh.patch.asc
>> 
>> b) Apply the patch.  Execute the following commands as root:
>> 
>> # cd /usr/src
>> # patch < /path/to/patch
>> 
>> c) Recompile the operating system using buildworld and installworld
>> as
>> described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>;;.
>> 
>> VI.  Correction details
>> 
>> This issue is corrected as of the corresponding Git commit hash in
>> the
>> following stable and release branches:
>> 
>> Branch/path                             Hash                     Revi
>> sion
>> -------------------------------------------------------------------
>> ------
>> stable/14/                              bf9a275b24f6    stable/14-
>> n268158
>> releng/14.1/                            88d5d8108711  releng/14.1-
>> n267735
>> stable/13/                              79853e40abd8    stable/13-
>> n258171
>> -------------------------------------------------------------------
>> ------
>> 
>> Run the following command to see which files were modified by a
>> particular commit:
>> 
>> # git show --stat <commit hash>
>> 
>> Or visit the following URL, replacing NNNNNN with the hash:
>> 
>> <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
>> 
>> To determine the commit count in a working tree (for comparison
>> against
>> nNNNNNN in the table above), run:
>> 
>> # git rev-list --count --first-parent HEAD
>> 
>> VII. References
>> 
>> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39894>
>> 
>> The latest revision of this advisory is available at
>> <URL:
>> https://security.FreeBSD.org/advisories/FreeBSD-SA-25:01.openssh.asc>
> 
>