search for: allowlist

...lowing conditions are met: * Exploitation requires the presence??of specific libraries on ?? the victim system. * Remote exploitation??requires that the agent was forwarded ?? to an attacker-controlled??system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release remove...

...lowing conditions are met: * Exploitation requires the presence??of specific libraries on ?? the victim system. * Remote exploitation??requires that the agent was forwarded ?? to an attacker-controlled??system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release remove...

On 19.07.23 16:40, Damien Miller wrote: > Exploitation can also be prevented by starting ssh-agent(1) with an > empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring > an allowlist that contains only specific provider libraries. Upon trying to deploy such a workaround, I found that the call to ssh-agent(1) nowadays is hidden *ridiculously* deep in the GUI startup mechanisms. (As in, did "find | xargs grep s...

...gt; * Exploitation requires the presence of specific libraries on > the victim system. > * Remote exploitation requires that the agent was forwarded > to an attacker-controlled system. > > Exploitation can also be prevented by starting ssh-agent(1) with an > empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring > an allowlist that contains only specific provider libraries. > > This vulnerability was discovered and demonstrated to be exploitable > by the Qualys Security Advisory team. > > In addition to removing the main precondition for exploit...

...; + (1ULL << VIRTIO_NET_F_CTRL_MAC_ADDR) | > + (1ULL << VIRTIO_NET_F_RSS) | > + (1ULL << VIRTIO_NET_F_HASH_REPORT) | > + (1ULL << VIRTIO_NET_F_NOTF_COAL)); > + } > +} > + This will never be exhaustive, we are adding new features. Please add an allowlist with just legal ones instead. > static int vduse_create_dev(struct vduse_dev_config *config, > void *config_buf, u64 api_version) > { > @@ -1793,6 +1812,8 @@ static int vduse_create_dev(struct vduse_dev_config *config, > if (!dev) > goto err; > > + vduse_d...

...nvocation in a test. * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage says it should; bz3532. * ssh(1): ensure that there is a terminating newline when adding a new entry to known_hosts; bz3529 Portability ----------- * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of mmap(2), madvise(2) and futex(2) flags, removing some concerning kernel attack surface. * sshd(8): improve Linux seccomp-bpf sandbox for older systems; bz3537

...ere is also much to be said for preventing anyone from even attempting unauthorized access in the first place. If no one from outside your LAN needs to get in, then simply deny port 22 at the level of your outward-facing firewall. If some external access is required, then see if you can generate an allowlist. I've had good experiences using a cron job to generate ipsets based on whois data for specific ISPs. Then whoever is with that ISP can get access, but no one else. I found this 100% killed botnet noise from my logs. And, putting the most important bit last, always consider your cybersecurity...

Virtio-net driver control queue implementation is not safe when used with VDUSE. If the VDUSE application does not reply to control queue messages, it currently ends up hanging the kernel thread sending this command. Some work is on-going to make the control queue implementation robust with VDUSE. Until it is completed, let's disable control virtqueue and features that depend on it.

...nvocation in a test. * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage says it should; bz3532. * ssh(1): ensure that there is a terminating newline when adding a new entry to known_hosts; bz3529 Portability ----------- * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of mmap(2), madvise(2) and futex(2) flags, removing some concerning kernel attack surface. * sshd(8): improve Linux seccomp-bpf sandbox for older systems; bz3537 Checksums: ========== - SHA1 (openssh-9.3.tar.gz) = 5f9d2f73ddfe94f3f0a78bdf46704b6ad7b66ec7 - SHA256 (openssh-9.3.tar.gz) =...

I have a small LAN at home with nine or ten systems on it running various varieties of Linux. I 'do things' on the LAN either from my dekstop machine or from my laptop, both run Xubuntu 24.04 at the moment. There's a couple of headless systems on the LAN where login security is important to me and I've been thinking about the relative merits of password and public-key

On Mon, Jun 5, 2023 at 10:58?PM Stefano Garzarella <sgarzare at redhat.com> wrote: > > On Mon, Jun 05, 2023 at 09:54:57AM -0400, Michael S. Tsirkin wrote: > >On Mon, Jun 05, 2023 at 03:30:35PM +0200, Stefano Garzarella wrote: > >> On Mon, Jun 05, 2023 at 09:00:25AM -0400, Michael S. Tsirkin wrote: > >> > On Mon, Jun 05, 2023 at 02:54:20PM +0200, Stefano

https://bugzilla.mindrot.org/show_bug.cgi?id=3584 Bug ID: 3584 Summary: Segfault when built with optimisations on macOS 13 (x86_64) with Xcode 14.3 Product: Portable OpenSSH Version: 9.3p1 Hardware: amd64 OS: Mac OS X Status: NEW Severity: major Priority: P5

https://bugzilla.mindrot.org/show_bug.cgi?id=3629 Bug ID: 3629 Summary: Building with Clang-17 fails due to -fzero-call-used-regs Product: Portable OpenSSH Version: 9.5p1 Hardware: amd64 OS: Mac OS X Status: NEW Severity: critical Priority: P5 Component: Build system

From: Yonatan Maman <Ymaman at Nvidia.com> Based on: Provide a new two step DMA mapping API patchset https://lore.kernel.org/kvm/20241114170247.GA5813 at lst.de/T/#t This patch series aims to enable Peer-to-Peer (P2P) DMA access in GPU-centric applications that utilize RDMA and private device pages. This enhancement reduces data transfer overhead by allowing the GPU to directly expose

https://bugzilla.mindrot.org/show_bug.cgi?id=3512 Bug ID: 3512 Summary: net-misc/openssh-9.1_p1: stopped accepting connections after upgrade to sys-libs/glibc-2.36 (fatal: ssh_sandbox_violation: unexpected system call) Product: Portable OpenSSH Version: 9.1p1 Hardware: amd64 OS: Linux

...r of exports that might be advertised, so client code should be aware that -a server may send a lengthy list; libnbd truncates the server reply -after 10000 exports. +a server may send a lengthy list. For L<nbd-server(1)> you will need to allow clients to make list requests by adding C<allowlist=true> to the C<[generic]> section of F</etc/nbd-server/config>. For L<qemu-nbd(8)>, a description is set with I<-D>."; example = Some "examples/list-exports.c"; - see_also = [Link "set_opt_mode"; Link "opt_go"; -...

This is a subset of my v2 posting, but limited to just the NBD_OPT_LIST handling. The biggest change since v2 is the addition of added unit testing in all four language bindings (C, python, ocaml, golang). The tests require nbdkit built from git on PATH, and may not be entirely idiomatic, but I at least validated that they catch issues (for example, adding an exit statement near the end of the

...r of exports that might be advertised, so client code should be aware that -a server may send a lengthy list; libnbd truncates the server reply -after 10000 exports. +a server may send a lengthy list. For L<nbd-server(1)> you will need to allow clients to make list requests by adding C<allowlist=true> to the C<[generic]> section of F</etc/nbd-server/config>. For L<qemu-nbd(8)>, a description is set with I<-D>."; example = Some "examples/list-exports.c"; - see_also = [Link "set_opt_mode"; Link "opt_go"; -...

Hi, When we moved to GitHub a few months ago, we used without more consideration the "master" convention to name our development branch. On SVN it used to be just "trunk". This naming is unfortunate <https://tools.ietf.org/id/draft-knodel-terminology-00.html#rfc.section.1.1> as it can hurt some contributors

Well, I'm not quite done (I still want to get nbdinfo to work on a single nbd connection for all cases when reading the heads of the file is not required), but I'm happy with patches 1-11, and 12-13 show where I'm headed for getting NBD_OPT_INFO to work. Posting now to see if some of the earlier patches are ready to commit while I continue working on the latter half. Eric Blake (13):