OpenSSH CVE-2024-6387 mitigation (on Fedora):echo 'OPTIONS=-e' | sudo tee -a ...

Hector Martin /

npub1qk9…azpx

2024-07-02 07:49:12

OpenSSH CVE-2024-6387 mitigation (on Fedora):echo 'OPTIONS=-e' | sudo tee -a /etc/sysconfig/sshd && sudo systemctl restart sshd

I have no idea why Qualys didn't mention this. The only non-async-safe function called by the vulnerable signal handler is syslog(). So just turn off syslog and log to stderr. On systemd distros, this still ends up in the journal anyway, so you lose nothing.

I confirmed that the message at the root of the issue is logged to stderr and not syslog with this option:<code>[pid 638194] --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---<br>[pid 638194] getpgid(0) = 638194<br>[pid 638194] getpid() = 638194<br>[pid 638194] rt_sigaction(SIGTERM, {sa_handler=SIG_IGN, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTART}, {sa_handler=SIG_DFL, sa_mask=~[KILL STOP RTMIN RT_1], sa_flags=SA_RESTART}, 8) = 0<br>[pid 638194] kill(0, SIGTERM) = 0<br>[pid 638194] getpid() = 638194<br>[pid 638194] write(2, "Timeout before authentication for 192.168.21.10 port 37734\r\n", 60) = 60<br>[pid 638194] exit_group(1) = ?<br>[pid 638194] +++ exited with 1 +++<br></code>

Author Public Key

npub1qk9x6yrvten3jqyvundn7exggm90fxf9yfarj5eaz25yd7aty8hqe9azpx

Show more details

Published at

2024-07-02 07:49:12

Kind type

1 Short Text Note

Event JSON

{ "id": "cd656256ba0bcb9135b33e26875e4f97945faddf0db663d7a8648abf7fcc9fcb", "pubkey": "058a6d106c5e6719008ce4db3f64c846caf49925227a39533d12a846fbab21ee", "created_at": 1719906552, "kind": 1, "tags": [ [ "proxy", "https://social.treehouse.systems/@marcan/112715795823895634", "web" ], [ "proxy", "https://social.treehouse.systems/users/marcan/statuses/112715795823895634", "activitypub" ], [ "L", "pink.momostr" ], [ "l", "pink.momostr.activitypub:https://social.treehouse.systems/users/marcan/statuses/112715795823895634", "pink.momostr" ], [ "expiration", "1722498579" ] ], "content": "OpenSSH CVE-2024-6387 mitigation (on Fedora):echo 'OPTIONS=-e' | sudo tee -a /etc/sysconfig/sshd \u0026amp;\u0026amp; sudo systemctl restart sshd\n\n\n\nI have no idea why Qualys didn't mention this. The only non-async-safe function called by the vulnerable signal handler is syslog(). So just turn off syslog and log to stderr. On systemd distros, this still ends up in the journal anyway, so you lose nothing.\n\nI confirmed that the message at the root of the issue is logged to stderr and not syslog with this option:\u003ccode\u003e[pid 638194] --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---\u003cbr\u003e[pid 638194] getpgid(0) = 638194\u003cbr\u003e[pid 638194] getpid() = 638194\u003cbr\u003e[pid 638194] rt_sigaction(SIGTERM, {sa_handler=SIG_IGN, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTART}, {sa_handler=SIG_DFL, sa_mask=~[KILL STOP RTMIN RT_1], sa_flags=SA_RESTART}, 8) = 0\u003cbr\u003e[pid 638194] kill(0, SIGTERM) = 0\u003cbr\u003e[pid 638194] getpid() = 638194\u003cbr\u003e[pid 638194] write(2, \"Timeout before authentication for 192.168.21.10 port 37734\\r\\n\", 60) = 60\u003cbr\u003e[pid 638194] exit_group(1) = ?\u003cbr\u003e[pid 638194] +++ exited with 1 +++\u003cbr\u003e\u003c/code\u003e", "sig": "4a6e9036017960dd99f1a06272f9bc67d2aa109e3f9b888a079e31b584a3c499416124d4c1e7c4fcca68cdabf7ade4ef2a4810a0c8021282bdf66f841f8e9851" }