From 5bc906c19a5b76aefa6ab66c449fe758fc0ee75f Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 8 Feb 2013 14:32:20 +0100
Subject: [PATCH] change default value of MaxStartups - CVE-2010-5107 - #908707

---
 openssh-6.1p1-change-max-startups.patch | 45 +++++++++++++++++++++++++
 openssh.spec                            |  3 ++
 2 files changed, 48 insertions(+)
 create mode 100644 openssh-6.1p1-change-max-startups.patch

diff --git a/openssh-6.1p1-change-max-startups.patch b/openssh-6.1p1-change-max-startups.patch
new file mode 100644
index 0000000..7e3edd2
--- /dev/null
+++ b/openssh-6.1p1-change-max-startups.patch
@@ -0,0 +1,45 @@
+diff --git a/servconf.c b/servconf.c
+index 684fbb4..a230c7b 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -267,11 +267,11 @@ fill_default_server_options(ServerOptions *options)
+ 	if (options->gateway_ports == -1)
+ 		options->gateway_ports = 0;
+ 	if (options->max_startups == -1)
+-		options->max_startups = 10;
++		options->max_startups = 100;
+ 	if (options->max_startups_rate == -1)
+-		options->max_startups_rate = 100;		/* 100% */
++		options->max_startups_rate = 30;		/* 30% */
+ 	if (options->max_startups_begin == -1)
+-		options->max_startups_begin = options->max_startups;
++		options->max_startups_begin = 10;
+ 	if (options->max_authtries == -1)
+ 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
+ 	if (options->max_sessions == -1)
+diff --git a/sshd_config b/sshd_config
+index d1b85d0..5c03fd9 100644
+--- a/sshd_config
++++ b/sshd_config
+@@ -126,7 +126,7 @@ UsePrivilegeSeparation sandbox		# Default for new installations.
+ #ShowPatchLevel no
+ #UseDNS yes
+ #PidFile /var/run/sshd.pid
+-#MaxStartups 10
++#MaxStartups 10:30:100
+ #PermitTunnel no
+ #ChrootDirectory none
+ #VersionAddendum none
+diff --git a/sshd_config.5 b/sshd_config.5
+index fd0d35a..f02f6cc 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -826,7 +826,7 @@ SSH daemon.
+ Additional connections will be dropped until authentication succeeds or the
+ .Cm LoginGraceTime
+ expires for a connection.
+-The default is 10.
++The default is 10:30:100.
+ .Pp
+ Alternatively, random early drop can be enabled by specifying
+ the three colon separated values
diff --git a/openssh.spec b/openssh.spec
index f8a7fa5..5e5a608 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -210,6 +210,8 @@ Patch901: openssh-6.1p1-kuserok.patch
 Patch902: openssh-6.1p1-man-moduli.patch
 # obsolete RequiredAuthentications options
 Patch903: openssh-6.1p1-required-authentications.patch
+# change default value of MaxStartups - CVE-2010-5107 - #908707
+Patch904: openssh-6.1p1-change-max-startups.patch
 
 #---
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1604
@@ -456,6 +458,7 @@ popd
 %patch901 -p1 -b .kuserok
 %patch902 -p1 -b .man-moduli
 %patch903 -p1 -b .required-authentication
+%patch904 -p1 -b .max-startups
 
 %if 0
 # Nothing here yet