[openssh-commits] [openssh] branch master updated: upstream: DNS0x20[1] can randomise the case of domain names returned by

[git+noreply at mindrot.org]

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

The following commit(s) were added to refs/heads/master by this push:
     new df18979e1 upstream: DNS0x20[1] can randomise the case of domain names returned by
df18979e1 is described below

commit df18979e1137f41a3ffa25f9d06c4fc55073cb34
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Sun May 31 05:55:21 2026 +0000

    upstream: DNS0x20[1] can randomise the case of domain names returned by
    
    lookup to force some more uniqueness in queries to reduce the likelihood of
    spoofing attacks succeeding.
    
    Normally this should be hidden from the user by the resolver, but
    in some cases it can leak through. When it does, it can mess up
    ssh's CanonicalizePermittedCNAMEs.
    
    Fix this by forcing the name we received from the system resolver to
    lowercase.
    
    bz3966, report and fix by Martin D Kealey
    
    [1] https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00
    
    OpenBSD-Commit-ID: e0b300d3b3af289e053d928380af71949f95bfb0
---
 ssh.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ssh.c b/ssh.c
index 943e1908e..91c16dcca 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.631 2026/05/31 04:24:39 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.632 2026/05/31 05:55:21 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -399,6 +399,7 @@ check_follow_cname(int direct, char **namep, const char *cname)
 		    "\"%s\" => \"%s\"", *namep, cname);
 		free(*namep);
 		*namep = xstrdup(cname);
+		lowercase(*namep);
 		return 1;
 	}
 	return 0;

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.