Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pkg/debug: update openssh to version 9.8p1 #4042

Merged
merged 2 commits into from
Jul 9, 2024
Merged

pkg/debug: update openssh to version 9.8p1 #4042

merged 2 commits into from
Jul 9, 2024

Conversation

christoph-zededa
Copy link
Contributor

according to https://fosstodon.org/@musl/112711796005712271 it should "only" be a deadlock for us

for more information about CVE-2024-6387 see also
https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt

@christoph-zededa christoph-zededa marked this pull request as draft July 1, 2024 17:46
@christoph-zededa christoph-zededa force-pushed the bump_ssh_cve_2024-6387 branch 2 times, most recently from b45b0d0 to 61bb801 Compare July 1, 2024 18:03
@eriknordmark
Copy link
Contributor

Any indication when Alpine might have a fix?

rene
rene reviewed Jul 2, 2024
View reviewed changes
pkg/debug/Dockerfile Outdated Show resolved Hide resolved
rene
rene requested changes Jul 2, 2024
View reviewed changes
Copy link
Contributor

@rene rene left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@christoph-zededa , please, check first all patches from Alpine package and see if they already applied to the version you are fetching....

[Edited: Updates below]

Latest version tagged yesterday:
https://pkgs.alpinelinux.org/package/edge/main/x86_64/openssh#

here is the repo for this version (notice that there is no CVE patches, so sources must be updated. However, there are still some custom patches):
https://git.alpinelinux.org/aports/tree/main/openssh?h=master
https://git.alpinelinux.org/aports/commit/?id=e4bc62018e1fcd89bfa14970d0cd501502e816a5

@rene
Copy link
Contributor

rene commented Jul 2, 2024

FWIW, here is an example on how to build Alpine packages from Dockerfile: https://github.com/lf-edge/eve/blob/master/pkg/cross-compilers/Dockerfile

@christoph-zededa
Copy link
Contributor Author

christoph-zededa commented Jul 2, 2024
edited
Loading

Any indication when Alpine might have a fix?

Hard to say.
I fear that for alpine 3.16 there will not be an update for openssh - but we're already using some packages from newer versions.
Last update for openssh was in April - https://pkgs.alpinelinux.org/packages?name=openssh&branch=edge&repo=&arch=&maintainer= .

@rene
Copy link
Contributor

rene commented Jul 2, 2024

Any indication when Alpine might have a fix?

Hard to say. I fear that for alpine 3.16 there will not be an update for openssh - but we're already using some packages from newer versions. Last update for openssh was in April - https://pkgs.alpinelinux.org/packages?name=openssh&branch=edge&repo=&arch=&maintainer= .

@christoph-zededa , you can try to build the latest package from edge, the one I pointed in the comments... it's using 9.7p1 but you can try to bump to 9.8p1...

@christoph-zededa
Copy link
Contributor Author

@rene

FWIW, here is an example on how to build Alpine packages from Dockerfile: https://github.com/lf-edge/eve/blob/master/pkg/cross-compilers/Dockerfile

But they didn't update the version in their git repository either ...
I see:

> git log --pretty=format:"%h%x09%an%x09%ad%x09%s" ./main/openssh | head
e4bc62018e1	Sören Tempel	Thu Apr 4 07:16:38 2024 +0200	main/openssh: enable check() again
b34d5a41ca0	Sören Tempel	Mon Apr 1 01:09:16 2024 +0200	main/openssh: remove fix-verify-dns-segfault.patch
924e8ad166b	Sören Tempel	Mon Apr 1 17:42:32 2024 +0200	main/openssh: remove zero-call-used-regs_all.patch
36d9b553d84	Sören Tempel	Mon Apr 1 01:53:48 2024 +0200	main/openssh: remove gss-serv.c.patch
b544dbe9982	Sören Tempel	Mon Apr 1 06:18:58 2024 +0200	main/openssh: remove sftp-interactive.patch
305d0655aa8	Andy Postnikov	Wed Mar 13 07:58:30 2024 +0100	main/openssh: upgrade to 9.7_p1
ec1af78e994	omni	Mon Dec 18 23:46:08 2023 +0000	main/openssh: security upgrade to 9.6p1
978509f17cd	Milan P. Stanić	Wed Oct 4 14:30:28 2023 +0000	main/openssh: upgrade to 9.5_p1
a78e32f046f	Milan P. Stanić	Thu Aug 10 20:16:53 2023 +0000	main/openssh: upgrade to 9.4_p1
4b4cd657e54	Arnav Singh	Thu Aug 10 09:56:18 2023 -0700	main/openssh: fix init.d script to also look in sshd_config.d/*.conf

@rene
Copy link
Contributor

rene commented Jul 2, 2024

@rene

FWIW, here is an example on how to build Alpine packages from Dockerfile: https://github.com/lf-edge/eve/blob/master/pkg/cross-compilers/Dockerfile

But they didn't update the version in their git repository either ... I see:

> git log --pretty=format:"%h%x09%an%x09%ad%x09%s" ./main/openssh | head
e4bc62018e1	Sören Tempel	Thu Apr 4 07:16:38 2024 +0200	main/openssh: enable check() again
b34d5a41ca0	Sören Tempel	Mon Apr 1 01:09:16 2024 +0200	main/openssh: remove fix-verify-dns-segfault.patch
924e8ad166b	Sören Tempel	Mon Apr 1 17:42:32 2024 +0200	main/openssh: remove zero-call-used-regs_all.patch
36d9b553d84	Sören Tempel	Mon Apr 1 01:53:48 2024 +0200	main/openssh: remove gss-serv.c.patch
b544dbe9982	Sören Tempel	Mon Apr 1 06:18:58 2024 +0200	main/openssh: remove sftp-interactive.patch
305d0655aa8	Andy Postnikov	Wed Mar 13 07:58:30 2024 +0100	main/openssh: upgrade to 9.7_p1
ec1af78e994	omni	Mon Dec 18 23:46:08 2023 +0000	main/openssh: security upgrade to 9.6p1
978509f17cd	Milan P. Stanić	Wed Oct 4 14:30:28 2023 +0000	main/openssh: upgrade to 9.5_p1
a78e32f046f	Milan P. Stanić	Thu Aug 10 20:16:53 2023 +0000	main/openssh: upgrade to 9.4_p1
4b4cd657e54	Arnav Singh	Thu Aug 10 09:56:18 2023 -0700	main/openssh: fix init.d script to also look in sshd_config.d/*.conf

See #4042 (comment)

@rouming
Copy link
Contributor

rouming commented Jul 2, 2024

There is a ticket from @famleebob #3994 regarding alpine upgrade.
Any chances 3.20 alpine has fresh updates? So we can close two things at the same time.

Also cc @shjala

@rouming rouming requested a review from shjala July 2, 2024 09:49
@christoph-zededa christoph-zededa force-pushed the bump_ssh_cve_2024-6387 branch 2 times, most recently from f8388b5 to e86e7e8 Compare July 2, 2024 09:57
rene
rene reviewed Jul 2, 2024
View reviewed changes
pkg/debug/ssh/sshd_config Show resolved Hide resolved
pkg/debug/ssh/sshd_config Show resolved Hide resolved
@rene
Copy link
Contributor

rene commented Jul 2, 2024

There is a ticket from @famleebob #3994 regarding alpine upgrade. Any chances 3.20 alpine has fresh updates? So we can close two things at the same time.

Also cc @shjala

@rouming that would be great, but I it seems they didn't update it: #4042 (comment)

@OhmSpectator
Copy link
Member

I also found sshd service starting with SOME docker-compose file:

eve/docker-compose.yml

Line 174 in 0ee0516

sshd:

Do we know if the file is used by any part of the system?...

@rene
Copy link
Contributor

rene commented Jul 2, 2024

I also found sshd service starting with SOME docker-compose file:

eve/docker-compose.yml

Line 174 in 0ee0516

sshd:

Do we know if the file is used by any part of the system?...

@OhmSpectator , this file is used for make run-compose , which aims to "run all EVE microservices via docker-compose deployment"... TBH I don't know if this is being in use somewhere....

@rene
Copy link
Contributor

rene commented Jul 2, 2024

@christoph-zededa , I still wondering about this patch:

@christoph-zededa
Copy link
Contributor Author

TOOMANYREQUESTS: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit :-(

@OhmSpectator
Copy link
Member

TOOMANYREQUESTS: You have reached your pull rate limit.

We should replace this message with something like "NO MORE BUILDS, FEIERABEND!"

@milan-zededa
Copy link
Contributor

TOOMANYREQUESTS: You have reached your pull rate limit.

We should replace this message with something like "NO MORE BUILDS, FEIERABEND!"

Maybe this will help: #4043

rene
rene reviewed Jul 2, 2024
View reviewed changes
pkg/debug/Dockerfile Outdated Show resolved Hide resolved
@christoph-zededa christoph-zededa force-pushed the bump_ssh_cve_2024-6387 branch 2 times, most recently from 6cf2caa to e527c39 Compare July 2, 2024 14:43
@christoph-zededa christoph-zededa marked this pull request as ready for review July 3, 2024 10:58
@rene
Copy link
Contributor

rene commented Jul 3, 2024

LGTM

@milan-zededa
Copy link
Contributor

Should this be also backported to LTS versions, i.e. have the "stable" label?

@eriknordmark eriknordmark added the stable Should be backported to stable release(s) label Jul 8, 2024
shjala
shjala reviewed Jul 9, 2024
View reviewed changes
pkg/debug/Dockerfile
@@ -63,13 +63,54 @@ ADD https://github.com/pixel/hexedit/archive/refs/tags/1.5.tar.gz ../1.5.tar.gz
RUN tar -C .. -xzvf ../1.5.tar.gz
RUN ./autogen.sh && ./configure && make DESTDIR=/out install

WORKDIR /usr/src
ADD https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz /usr/src
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sig verify is appreciated.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done: https://github.com/lf-edge/eve/pull/4042/files#diff-eb8b8d5cc8d10e1bd74ad66ca8bb1565b32a21a18220ef586c0a22d2e961aee1R75

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesome!

@christoph-zededa
pkg/debug: update openssh to version 9.8p1
1fa7213 
according to https://fosstodon.org/@musl/112711796005712271
it should "only" be a deadlock for us

for more information about CVE-2024-6387 see also
https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt

Signed-off-by: Christoph Ostarek <christoph@zededa.com>
@christoph-zededa
debug: fix ipv6 for ssh
171b425 
Signed-off-by: Christoph Ostarek <christoph@zededa.com>
@eriknordmark eriknordmark merged commit 9253ceb into lf-edge:master Jul 9, 2024
12 of 15 checks passed
This was referenced Jul 9, 2024
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@OhmSpectator OhmSpectator OhmSpectator left review comments

@shjala shjala shjala left review comments

@rene rene rene approved these changes

@rouming rouming Awaiting requested review from rouming rouming is a code owner

@eriknordmark eriknordmark Awaiting requested review from eriknordmark

Assignees
No one assigned
Labels
stable Should be backported to stable release(s)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@christoph-zededa @eriknordmark @rene @rouming @OhmSpectator @milan-zededa @shjala