Skip to content
[Jenkins]Jenkins
log in
Success

Changes

Summary

  1. OpenSSL 1.0.2p (commit: 211606d) (details)
  2. OpenSSH: fix CVE-2018-15473 (username enumeration) (commit: 43616c8) (details)
  3. expat 2.2.6 (commit: 04ac3e8) (details)
Commit 211606ddc8f2c04cb15f6567345ccfea77fcec9d by Andreas Wacknitz
OpenSSL 1.0.2p
Notes: https://www.openssl.org/news/openssl-1.0.2-notes.html
 Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p:
* Client DoS due to large DH parameter (CVE-2018-0732)
* Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
 ABI compatible:
https://abi-laboratory.pro/index.php?view=objects_report&l=openssl&v1=1.0.2o&v2=1.0.2p

 Test suite runs looked good.
 (commit: 211606d)
The file was modifiedcomponents/library/openssl/openssl-1.0.2/openssl-1.0.2.p5m (diff)
The file was removedcomponents/library/openssl/openssl-1.0.2/patches/CVE-2018-0737.patch
The file was modifiedcomponents/library/openssl/openssl-1.0.2/manifests/sample-manifest.p5m (diff)
The file was removedcomponents/library/openssl/openssl-1.0.2/patches/CVE-2018-0732.patch
The file was modifiedcomponents/library/openssl/openssl-1.0.2/Makefile (diff)
Commit 43616c8731a48eff82ca79506d41e2b1e3f90baf by Andreas Wacknitz
OpenSSH: fix CVE-2018-15473 (username enumeration)
Fix from OpenSSH 7.8p1 (https://www.openssh.com/releasenotes.html):
```
* sshd(8): add some countermeasures against timing attacks used for
  account validation/enumeration. sshd will enforce a minimum time
  or each failed authentication attempt consisting of a global 5ms
  minimum plus an additional per-user 0-4ms delay derived from a
  host secret.
```
 Debian patch:
https://sources.debian.org/patches/openssh/1:7.4p1-10+deb9u4/upstream-delay-bailout-for-invalid-authenticating-user.patch/


**Testing (exploit: https://www.exploit-db.com/exploits/45210/)**
 Affected:
```
$ python 45210.py 192.168.1.12 root
[+] Valid username

$ python 45210.py 192.168.1.12 thisisinvalid
[*] Invalid username
```
 Fixed:
```
$ python 45210.py 192.168.1.181 root
[+] Valid username

$ python 45210.py 192.168.1.181 thisisinvalid
[+] Valid username
```
 (commit: 43616c8)
The file was modifiedcomponents/network/openssh/Makefile (diff)
The file was addedcomponents/network/openssh/patches/CVE-2018-15473.patch
Commit 04ac3e867db3637a6dd386947ebd31b217036bc7 by Andreas Wacknitz
expat 2.2.6
Changes: https://github.com/libexpat/libexpat/blob/R_2_2_6/expat/Changes

 Notably, fixes UTF-8 bug required for Python 2.7.15 test suite to pass.

 Test suite now seems to have a different output.
 (commit: 04ac3e8)
The file was modifiedcomponents/library/libexpat/test/results-all.master (diff)
The file was modifiedcomponents/library/libexpat/expat.p5m (diff)
The file was modifiedcomponents/library/libexpat/Makefile (diff)
The file was modifiedcomponents/library/libexpat/manifests/sample-manifest.p5m (diff)