Hírolvasó

Call for testing: Last bits of DSA to be removed from OpenSSH

OpenBSD Journal
2 hónap óta
In a message to tech@ with the subject "die DSA die", Damien Miller (djm@) presents a diff that will remove the last bits of DSA support from OpenSSH:

List: openbsd-tech Subject: die DSA die From: Damien Miller <djm () mindrot ! org> Date: 2025-05-05 6:34:15 This finally removes all the remaining bits of DSA support from OpenSSH and fixes up the regress tests that I could run. I'm not set up to run the ssh.com interop tests so it's possible they are broken by this. ok? Index: usr.bin/ssh/authfd.c [ … ]

followed by the diff that implements the change.

(An earlier Undeadly article provides some background on DSA removal.)

Note that Damien asks for testing help here -- if you are able to help testing this change before it goes in for real, please do!

ssh: listener sockets relocated from /tmp to ~/.ssh/agent

OpenBSD Journal
2 hónap óta

A long discussion on tech@ (initiated by a suggestion/patch from Jesper Wallin) has culminated in Damien Miller (djm@) committing changes which increase security by taking advantage of the use of unveil(2) elsewhere in the OpenBSD ecosystem:

CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2025/05/04 20:48:07 Modified files: usr.bin/ssh/sshd-session: Makefile usr.bin/ssh/sshd-auth: Makefile usr.bin/ssh/ssh-agent: Makefile usr.bin/ssh : ssh-agent.c ssh-agent.1 session.c pathnames.h misc.h misc.c hostfile.c Log message: Move agent listener sockets from /tmp to under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8). This ensures processes (such as Firefox) that have restricted filesystem access that includes /tmp (via unveil(3)) do not have the ability to use keys in an agent.

Read more…

The installer now prefers disks over 1GB

OpenBSD Journal
2 hónap óta

Klemens Nanni (kn@) has committed the his proposed change [See previous article] such that the OpenBSD installer now prefers disks over 1GB when prompting for the root disk. The commit message explains the change:

CVSROOT: /cvs Module name: src Changes by: kn@cvs.openbsd.org 2025/05/04 06:32:41 Modified files: distrib/miniroot: install.sub Log message: Prefer disks bigger than 1G as default root disk on install -current picks the alphanumerically first disk as default, which isn't the beset choice if install media, softraid(4) key disks or small external media attaches before the disk one intends to use.

Read more…

[$] Injecting speculation barriers into BPF programs

Linux Weekly News
2 hónap óta
The disclosure of the Spectre class of hardware vulnerabilities created a lot of pain for kernel developers (and many others). That pain was especially acutely felt in the BPF community. While an attacker might have to painfully search the kernel code base for exploitable code, an attacker using BPF can simply write and load their own speculation gadgets, which is a much more efficient way of operating. The BPF community reacted by, among other things, disallowing the loading of programs that may include speculation gadgets. Luis Gerhorst would like to change that situation with this patch series that takes a more direct approach to the problem.
corbet

Security updates for Monday

Linux Weekly News
2 hónap óta
Security updates have been issued by Debian (ansible, containerd, and vips), Fedora (chromium, java-17-openjdk, nodejs-bash-language-server, nodejs-pnpm, ntpd-rs, redis, rust-hickory-proto, thunderbird, and valkey), Mageia (apache-mod_auth_openidc, fcgi, graphicsmagick, kernel-linus, pam, poppler, and tomcat), Red Hat (firefox, libsoup, nodejs:20, redis:6, rsync, webkit2gtk3, xmlrpc-c, and yelp), and SUSE (audiofile, ffmpeg, firefox, libsoup-2_4-1, libsoup-3_0-0, libva, libxml2, and thunderbird).
jake