From 984bb05a166d224670d6b993e3a1cfe5b09fc45f Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 8 Feb 2013 14:32:20 +0100 Subject: [PATCH] change default value of MaxStartups - CVE-2010-5107 - #908707 --- openssh-6.1p1-change-max-startups.patch | 45 +++++++++++++++++++++++++ openssh.spec | 3 ++ 2 files changed, 48 insertions(+) create mode 100644 openssh-6.1p1-change-max-startups.patch diff --git a/openssh-6.1p1-change-max-startups.patch b/openssh-6.1p1-change-max-startups.patch new file mode 100644 index 0000000..7e3edd2 --- /dev/null +++ b/openssh-6.1p1-change-max-startups.patch @@ -0,0 +1,45 @@ +diff --git a/servconf.c b/servconf.c +index 684fbb4..a230c7b 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -267,11 +267,11 @@ fill_default_server_options(ServerOptions *options) + if (options->gateway_ports == -1) + options->gateway_ports = 0; + if (options->max_startups == -1) +- options->max_startups = 10; ++ options->max_startups = 100; + if (options->max_startups_rate == -1) +- options->max_startups_rate = 100; /* 100% */ ++ options->max_startups_rate = 30; /* 30% */ + if (options->max_startups_begin == -1) +- options->max_startups_begin = options->max_startups; ++ options->max_startups_begin = 10; + if (options->max_authtries == -1) + options->max_authtries = DEFAULT_AUTH_FAIL_MAX; + if (options->max_sessions == -1) +diff --git a/sshd_config b/sshd_config +index d1b85d0..5c03fd9 100644 +--- a/sshd_config ++++ b/sshd_config +@@ -126,7 +126,7 @@ UsePrivilegeSeparation sandbox # Default for new installations. + #ShowPatchLevel no + #UseDNS yes + #PidFile /var/run/sshd.pid +-#MaxStartups 10 ++#MaxStartups 10:30:100 + #PermitTunnel no + #ChrootDirectory none + #VersionAddendum none +diff --git a/sshd_config.5 b/sshd_config.5 +index fd0d35a..f02f6cc 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -826,7 +826,7 @@ SSH daemon. + Additional connections will be dropped until authentication succeeds or the + .Cm LoginGraceTime + expires for a connection. +-The default is 10. ++The default is 10:30:100. + .Pp + Alternatively, random early drop can be enabled by specifying + the three colon separated values diff --git a/openssh.spec b/openssh.spec index bf60efa..1ab1ef0 100644 --- a/openssh.spec +++ b/openssh.spec @@ -210,6 +210,8 @@ Patch901: openssh-6.1p1-kuserok.patch Patch902: openssh-6.1p1-man-moduli.patch # obsolete RequiredAuthentications options Patch903: openssh-6.1p1-required-authentications.patch +# change default value of MaxStartups - CVE-2010-5107 - #908707 +Patch904: openssh-6.1p1-change-max-startups.patch #--- #https://bugzilla.mindrot.org/show_bug.cgi?id=1604 @@ -455,6 +457,7 @@ popd %patch901 -p1 -b .kuserok %patch902 -p1 -b .man-moduli %patch903 -p1 -b .required-authentication +%patch904 -p1 -b .max-startups %if 0 # Nothing here yet