[openssh-commits] [openssh] branch master updated (7ab700f17 -> 5a5e47740)

git+noreply at mindrot.org git+noreply at mindrot.org
Sun May 31 15:04:03 AEST 2026 

This is an automated email from the git hooks/post-receive script.

djm pushed a change to branch master
in repository openssh.

    from 7ab700f17 Make failure to set SECCOMP or NO_NEW_PRIVS fatal
     new 9d4c0b31f upstream: Replace the old recursive match_pattern() with an
     new 1e82d2cfc upstream: fix client use-after-free on error path if cipher_init()
     new 10f66b2af upstream: Enforce a maximum size for usernames in agent key use
     new 26cde4cfc upstream: stricter validation of the transport state passed from
     new 72b05ecd1 upstream: make the transport protocol stricter by disconnecting if
     new 8dfe7ed6e upstream: DisableForwarding=yes didn't override PermitTunnel=yes
     new 073faa6be upstream: Fix two separate one-byte out-of-cound reads
     new 5a5e47740 upstream: disallow use of the copy-data extension to read and write

The 8 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Detailed log of new commits:

commit 5a5e47740b6466d58242aca28b9e584bab4ccf1d
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun May 31 04:59:51 2026 +0000

    upstream: disallow use of the copy-data extension to read and write
    
    to the same inode simultaneously; reported by Qifan Zhang of Palo Alto
    Networks; ok markus@
    
    OpenBSD-Commit-ID: 94ceb85146d92dbc1289c55d308498d5f56f274a

commit 073faa6beceea162eeeb7963c7352a6c851e507a
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun May 31 04:51:45 2026 +0000

    upstream: Fix two separate one-byte out-of-cound reads
    
    1) if a server sent an empty reply to a SSH2_FXP_REALPATH request
    2) if a batch command used the full 2048 byte buffer but ended in a
      literal backslash character
    
    Both reported by Zhenpeng (Leo) Lin from depthfirst
    
    ok markus@
    
    OpenBSD-Commit-ID: d1ccc1f5a6eb109065ce8a552fea8e502381ce59

commit 8dfe7ed6e2fd988de08df508355a196b956b2753
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun May 31 04:47:29 2026 +0000

    upstream: DisableForwarding=yes didn't override PermitTunnel=yes
    
    Reported independently by Huzaifa Sidhpurwala of Redhat and Marko
    Jevtic; ok markus@
    
    OpenBSD-Commit-ID: b5c13f0746cf079b21f8deba47407fad49ccbf4c

commit 72b05ecd141b9683285dcdb439de01903c1a07d3
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun May 31 04:44:38 2026 +0000

    upstream: make the transport protocol stricter by disconnecting if
    
    the peer sends non-KEX messages during a key re-exchange.
    
    Previously an evil peer could continue sending non-KEX messages
    without penalty, causing memory to be wasted up until the
    connection terminated or the server/client hit a OOM limit.
    
    reported by Marko Jevtic; ok markus@
    
    OpenBSD-Commit-ID: 8937f0f2096156f5c68ae2dce77956373589d757

commit 26cde4cfc55eb1d336e1249d702c0c4705b0424b
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun May 31 04:37:56 2026 +0000

    upstream: stricter validation of the transport state passed from
    
    the unprivileged preauth sshd-auth process to the user-privileged postauth
    sshd-session process.
    
    These are harmless unless an attacker had an exploit for sshd-auth
    in which case they could be used for post-auth memory DoS or to
    crash you own session in a new and exciting way.
    
    Reported by bylee3 and Kayky Vinicius
    
    ok markus
    
    OpenBSD-Commit-ID: 214e256904a4ae4f83d2083096796c9689c1d7b5

commit 10f66b2af950c94af3b25027abec5209d90eb451
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun May 31 04:31:04 2026 +0000

    upstream: Enforce a maximum size for usernames in agent key use
    
    constraints
    
    Along with the match_pattern() performance change that was just
    committed this avoids a denial-of-service where an agent client could
    waste CPU on an agent by sending user constraints with lots of
    wildcards.
    
    Reported by Huzaifa Sidhpurwala of Redhat
    
    ok markus
    
    OpenBSD-Commit-ID: 0483817f1a8accf4dbff42b7073ee4d119105d71

commit 1e82d2cfcfd05ec2e4515894a92223f40839c7b8
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun May 31 04:24:39 2026 +0000

    upstream: fix client use-after-free on error path if cipher_init()
    
    fails; reported by Qualys Security Advisory Team, ok markus@
    
    OpenBSD-Commit-ID: a8731da0c462b2b9d11314ba505c26ee0cdada83

commit 9d4c0b31f172782def72ccc2fb2dc217d3135e6f
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun May 31 04:19:16 2026 +0000

    upstream: Replace the old recursive match_pattern() with an
    
    implementation that uses a NFA for matching. This avoids the exponential
    worst- case behaviour for the old implementation.
    
    ok markus@
    
    OpenBSD-Commit-ID: fc6b75a52f4c0acb52b7900658c8d25ff873cbae

Summary of changes:
 cipher.c      |   8 +++-
 cipher.h      |   3 +-
 kex.c         |   9 +++-
 kex.h         |   3 +-
 match.c       | 137 +++++++++++++++++++++++++++++++++++++---------------------
 packet.c      |  24 +++++++---
 serverloop.c  |   4 +-
 sftp-server.c |  27 ++++++++++--
 sftp.c        |   8 ++--
 ssh-agent.c   |  12 +++--
 ssh.c         |   5 ++-
 11 files changed, 167 insertions(+), 73 deletions(-)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list