-
Notifications
You must be signed in to change notification settings - Fork 560
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[AUTO-CHERRYPICK] cert-manager: patch CVE-2024-45337 - branch main (#…
…11661) Co-authored-by: Andrew Phelps <[email protected]>
- Loading branch information
1 parent
2241a97
commit 7b804dd
Showing
2 changed files
with
82 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,77 @@ | ||
| https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909.patch | ||
|
|
||
| From b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 Mon Sep 17 00:00:00 2001 | ||
| From: Roland Shoemaker <[email protected]> | ||
| Date: Tue, 3 Dec 2024 09:03:03 -0800 | ||
| Subject: [PATCH] ssh: make the public key cache a 1-entry FIFO cache | ||
|
|
||
| Users of the the ssh package seem to extremely commonly misuse the | ||
| PublicKeyCallback API, assuming that the key passed in the last call | ||
| before a connection is established is the key used for authentication. | ||
| Some users then make authorization decisions based on this key. This | ||
| property is not documented, and may not be correct, due to the caching | ||
| behavior of the package, resulting in users making incorrect | ||
| authorization decisions about the connection. | ||
|
|
||
| This change makes the cache a one entry FIFO cache, making the assumed | ||
| property, that the last call to PublicKeyCallback represents the key | ||
| actually used for authentication, actually hold. | ||
|
|
||
| Thanks to Damien Tournoud, Patrick Dawkins, Vince Parker, and | ||
| Jules Duvivier from the Platform.sh / Upsun engineering team | ||
| for reporting this issue. | ||
|
|
||
| Fixes golang/go#70779 | ||
| Fixes CVE-2024-45337 | ||
|
|
||
| Change-Id: Ife7c7b4045d8b6bcd7e3a417bdfae370c709797f | ||
| Reviewed-on: https://go-review.googlesource.com/c/crypto/+/635315 | ||
| Reviewed-by: Roland Shoemaker <[email protected]> | ||
| Auto-Submit: Gopher Robot <[email protected]> | ||
| Reviewed-by: Damien Neil <[email protected]> | ||
| Reviewed-by: Nicola Murino <[email protected]> | ||
| LUCI-TryBot-Result: Go LUCI <[email protected]> | ||
| --- | ||
| vendor/golang.org/x/crypto/ssh/server.go | 15 ++++++++++---- | ||
|
|
||
| diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go | ||
| index c0d1c29e6f..5b5ccd96f4 100644 | ||
| --- a/vendor/golang.org/x/crypto/ssh/server.go | ||
| +++ b/vendor/golang.org/x/crypto/ssh/server.go | ||
| @@ -149,7 +149,7 @@ func (s *ServerConfig) AddHostKey(key Signer) { | ||
| } | ||
|
|
||
| // cachedPubKey contains the results of querying whether a public key is | ||
| -// acceptable for a user. | ||
| +// acceptable for a user. This is a FIFO cache. | ||
| type cachedPubKey struct { | ||
| user string | ||
| pubKeyData []byte | ||
| @@ -157,7 +157,13 @@ type cachedPubKey struct { | ||
| perms *Permissions | ||
| } | ||
|
|
||
| -const maxCachedPubKeys = 16 | ||
| +// maxCachedPubKeys is the number of cache entries we store. | ||
| +// | ||
| +// Due to consistent misuse of the PublicKeyCallback API, we have reduced this | ||
| +// to 1, such that the only key in the cache is the most recently seen one. This | ||
| +// forces the behavior that the last call to PublicKeyCallback will always be | ||
| +// with the key that is used for authentication. | ||
| +const maxCachedPubKeys = 1 | ||
|
|
||
| // pubKeyCache caches tests for public keys. Since SSH clients | ||
| // will query whether a public key is acceptable before attempting to | ||
| @@ -179,9 +185,10 @@ func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) { | ||
|
|
||
| // add adds the given tuple to the cache. | ||
| func (c *pubKeyCache) add(candidate cachedPubKey) { | ||
| - if len(c.keys) < maxCachedPubKeys { | ||
| - c.keys = append(c.keys, candidate) | ||
| + if len(c.keys) >= maxCachedPubKeys { | ||
| + c.keys = c.keys[1:] | ||
| } | ||
| + c.keys = append(c.keys, candidate) | ||
| } | ||
|
|
||
| // ServerConn is an authenticated SSH connection, as seen from the |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| Summary: Automatically provision and manage TLS certificates in Kubernetes | ||
| Name: cert-manager | ||
| Version: 1.11.2 | ||
| Release: 15%{?dist} | ||
| Release: 16%{?dist} | ||
| License: ASL 2.0 | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Mariner | ||
|
|
@@ -28,6 +28,7 @@ Patch5: CVE-2023-3978.patch | |
| Patch6: CVE-2024-24786.patch | ||
| Patch7: CVE-2024-28180.patch | ||
| Patch8: CVE-2023-2253.patch | ||
| Patch9: CVE-2024-45337.patch | ||
| BuildRequires: golang | ||
| Requires: %{name}-acmesolver | ||
| Requires: %{name}-cainjector | ||
|
|
@@ -120,6 +121,9 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/ | |
| %{_bindir}/webhook | ||
|
|
||
| %changelog | ||
| * Tue Dec 17 2024 Andrew Phelps <[email protected]> - 1.11.2-16 | ||
| - Add patch for CVE-2024-45337 | ||
|
|
||
| * Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 1.11.2-15 | ||
| - Bump release to rebuild with go 1.22.7 | ||
|
|
||
|
|
||