[openssh/f17] change default value of MaxStartups - CVE-2010-5107 - #908707

plautrba plautrba at fedoraproject.org
Fri Feb 8 15:02:52 UTC 2013 

commit 43a679b04723ed1fe7f8fe0ad67cc60b950112b5
Author: Petr Lautrbach <plautrba at redhat.com>
Date:   Fri Feb 8 16:01:23 2013 +0100

    change default value of MaxStartups - CVE-2010-5107 - #908707

 openssh-5.9p1-change-max-startups.patch |   42 +++++++++++++++++++++++++++++++
 openssh.spec                            |    3 ++
 2 files changed, 45 insertions(+), 0 deletions(-)
---
diff --git a/openssh-5.9p1-change-max-startups.patch b/openssh-5.9p1-change-max-startups.patch
new file mode 100644
index 0000000..2055e77
--- /dev/null
+++ b/openssh-5.9p1-change-max-startups.patch
@@ -0,0 +1,42 @@
+diff -up openssh-5.9p1/servconf.c.max-startups openssh-5.9p1/servconf.c
+--- openssh-5.9p1/servconf.c.max-startups	2013-02-08 15:59:09.785709477 +0100
++++ openssh-5.9p1/servconf.c	2013-02-08 15:59:09.792709448 +0100
+@@ -265,11 +265,11 @@ fill_default_server_options(ServerOption
+ 	if (options->gateway_ports == -1)
+ 		options->gateway_ports = 0;
+ 	if (options->max_startups == -1)
+-		options->max_startups = 10;
++		options->max_startups = 100;
+ 	if (options->max_startups_rate == -1)
+-		options->max_startups_rate = 100;		/* 100% */
++		options->max_startups_rate = 30;		/* 30% */
+ 	if (options->max_startups_begin == -1)
+-		options->max_startups_begin = options->max_startups;
++		options->max_startups_begin = 10;
+ 	if (options->max_authtries == -1)
+ 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
+ 	if (options->max_sessions == -1)
+diff -up openssh-5.9p1/sshd_config.5.max-startups openssh-5.9p1/sshd_config.5
+--- openssh-5.9p1/sshd_config.5.max-startups	2013-02-08 15:59:09.786709473 +0100
++++ openssh-5.9p1/sshd_config.5	2013-02-08 15:59:09.793709444 +0100
+@@ -796,7 +796,7 @@ SSH daemon.
+ Additional connections will be dropped until authentication succeeds or the
+ .Cm LoginGraceTime
+ expires for a connection.
+-The default is 10.
++The default is 10:30:100.
+ .Pp
+ Alternatively, random early drop can be enabled by specifying
+ the three colon separated values
+diff -up openssh-5.9p1/sshd_config.max-startups openssh-5.9p1/sshd_config
+--- openssh-5.9p1/sshd_config.max-startups	2013-02-08 15:59:09.000000000 +0100
++++ openssh-5.9p1/sshd_config	2013-02-08 16:00:03.784485797 +0100
+@@ -120,7 +120,7 @@ X11Forwarding yes
+ #ShowPatchLevel no
+ #UseDNS yes
+ #PidFile /var/run/sshd.pid
+-#MaxStartups 10
++#MaxStartups 10:30:100
+ #PermitTunnel no
+ #ChrootDirectory none
+ 
diff --git a/openssh.spec b/openssh.spec
index cef7698..fa72350 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -216,6 +216,8 @@ Patch901: openssh-5.9p1-kuserok.patch
 Patch902: openssh-5.9p1-man-moduli.patch
 #https://bugzilla.redhat.com/show_bug.cgi?id=861818
 Patch903: openssh-5.9p1-ipqos.patch
+# change default value of MaxStartups - CVE-2010-5107 - #908707
+Patch904: openssh-5.9p1-change-max-startups.patch
 
 #---
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1604
@@ -464,6 +466,7 @@ popd
 %patch901 -p1 -b .kuserok
 %patch902 -p1 -b .man-moduli
 %patch903 -p1 -b .ipqos
+%patch904 -p1 -b .max-startups
 
 %if 0
 # Nothing here yet

More information about the scm-commits mailing list