svn commit: r431445 - in head/security/openssh-portable: . files
Bryan Drewery
bdrewery at FreeBSD.org
Fri Jan 13 23:39:49 UTC 2017
Author: bdrewery
Date: Fri Jan 13 23:39:48 2017
New Revision: 431445
URL: https://svnweb.freebsd.org/changeset/ports/431445
Log:
Add forgotten patch in r431438 for CVE-2016-10009 and CVE-2016-10010.
Security: 2c948527-d823-11e6-9171-14dae9d210b8
Submitted by: Tim Zingelman <zingelman at gmail.com>
MFH: 2017Q1
Added:
head/security/openssh-portable/files/patch-serverloop.c (contents, props changed)
Modified:
head/security/openssh-portable/Makefile
Modified: head/security/openssh-portable/Makefile
==============================================================================
--- head/security/openssh-portable/Makefile Fri Jan 13 23:38:46 2017 (r431444)
+++ head/security/openssh-portable/Makefile Fri Jan 13 23:39:48 2017 (r431445)
@@ -3,7 +3,7 @@
PORTNAME= openssh
DISTVERSION= 7.3p1
-PORTREVISION= 3
+PORTREVISION= 4
PORTEPOCH= 1
CATEGORIES= security ipv6
MASTER_SITES= OPENBSD/OpenSSH/portable
Added: head/security/openssh-portable/files/patch-serverloop.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/openssh-portable/files/patch-serverloop.c Fri Jan 13 23:39:48 2017 (r431445)
@@ -0,0 +1,23 @@
+Fix CVE-2016-10010
+
+
+--- serverloop.c.orig 2016-07-27 17:54:27.000000000 -0500
++++ serverloop.c 2017-01-11 18:44:42.881227000 -0600
+@@ -999,7 +999,7 @@
+
+ /* XXX fine grained permissions */
+ if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
+- !no_port_forwarding_flag) {
++ !no_port_forwarding_flag && use_privsep) {
+ c = channel_connect_to_path(target,
+ "direct-streamlocal at openssh.com", "direct-streamlocal");
+ } else {
+@@ -1280,7 +1280,7 @@
+
+ /* check permissions */
+ if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
+- || no_port_forwarding_flag) {
++ || no_port_forwarding_flag || !use_privsep) {
+ success = 0;
+ packet_send_debug("Server has disabled port forwarding.");
+ } else {
More information about the svn-ports-head
mailing list