similar to: [Bug 3709] New: PerSourceMaxStartups no longer works as advertised

A few days ago, I published an article analyzing the susceptibility of the DHEat denial-of-service vulnerability against default OpenSSH settings in cloud environments. I thought those on this list might be interested: https://www.positronsecurity.com/blog/2024-04-23-an-analysis-of-dheat-dos-against-ssh-in-cloud-environments/ A short summary: the default MaxStartup setting is fully ineffective

In the upcoming v9.8 release notes I see "the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server." Has this new PerSourcePenalties config directive been tested against the DHEat attack? - Joe On Thu, 2024-04-25 at 18:09 -0400, Joseph S. Testa II wrote: > A few days ago, I

https://bugzilla.mindrot.org/show_bug.cgi?id=3706 Bug ID: 3706 Summary: Support upgrading sshd without restarting the server Product: Portable OpenSSH Version: -current Hardware: amd64 OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee:

On Wed, 2024-06-19 at 16:11 -0400, Joseph S. Testa II wrote: > I suppose in the next few days, I'll try reproducing my original > steps > with the new version and see what happens. I managed to do some limited testing with a local VM, and the results are... interesting. I installed openssh-SNAP-20240626.tar.gz on a fresh and fully-updated Ubuntu Linux 24.04 LTS VM with 1 vCPU.

https://bugzilla.mindrot.org/show_bug.cgi?id=1747 Summary: AuthorizedKeysFile not working as advertised Product: Portable OpenSSH Version: 5.4p1 Platform: Other OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy:

https://bugzilla.mindrot.org/show_bug.cgi?id=3711 Bug ID: 3711 Summary: How do you defend against the D (HE) ater attack? Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: security Priority: P5 Component: sshd Assignee: unassigned-bugs at

On Tue, 18 Jun 2024, Chris Rapier wrote: > Just curious, has this been tested at scale? I see that there are, by > default, a maximum number of hosts it can track (default of 64k it > seems). At that point I think one of two things happen - sshd stops > allowing all connections until some of the banned IPs age out (with > the exception of those IPs on an approved list) or it drops

On Wed, 2024-06-19 at 09:19 -0400, chris wrote: > real world example (current snapshot of portable on linux v. dheater) Thanks for this. However, much more extensive testing would be needed to show it is a complete solution. In my original research article, I used CPU idle time as the main metric. Also, I showed that very low- latency network links could bypass the existing countermeasures.

Asterisk Project Security Advisory - AST-2011-005 Product Asterisk Summary File Descriptor Resource Exhaustion Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated TCP Based Sessions (TCP SIP, Skinny,

Asterisk Project Security Advisory - AST-2011-005 Product Asterisk Summary File Descriptor Resource Exhaustion Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated TCP Based Sessions (TCP SIP, Skinny,

Asterisk Project Security Advisory - AST-2008-003 +------------------------------------------------------------------------+ | Product | Asterisk | |--------------------+---------------------------------------------------| | Summary | Unauthenticated calls allowed from SIP channel | | | driver

Asterisk Project Security Advisory - AST-2008-003 +------------------------------------------------------------------------+ | Product | Asterisk | |--------------------+---------------------------------------------------| | Summary | Unauthenticated calls allowed from SIP channel | | | driver

On Tue, 18 Jun 2024, Joseph S. Testa II wrote: > In the upcoming v9.8 release notes I see "the server will now block > client addresses that repeatedly fail authentication, repeatedly > connect without ever completing authentication or that crash the > server." Has this new PerSourcePenalties config directive been tested > against the DHEat attack? Not explicitly but

> Asterisk Project Security Advisory - ASA-2007-010 > > +------------------------------------------------------------------------+ > | Product | Asterisk | > |--------------------+---------------------------------------------------| > | Summary | Two stack buffer overflows in SIP

> Asterisk Project Security Advisory - ASA-2007-010 > > +------------------------------------------------------------------------+ > | Product | Asterisk | > |--------------------+---------------------------------------------------| > | Summary | Two stack buffer overflows in SIP

This patch tries to detect the possible buggy features advertised by host and fix them. One example is current booting virtio-net with only ctrl_vq disabled, qemu may still advertise many features which depends it. This will trigger several BUG()s in virtnet_send_command(). This patch utilizes the fix_features() method, and disable all features that depends on ctrl_vq if it was not advertised.

This patch tries to detect the possible buggy features advertised by host and fix them. One example is booting virtio-net with only ctrl_vq disabled, qemu may still advertise many features which depends on it. This will trigger several BUG()s in virtnet_send_command(). This patch utilizes the fix_features() method, and disables all features that depends on ctrl_vq if it was not advertised. This

This patch tries to detect the possible buggy features advertised by host and fix them. One example is current booting virtio-net with only ctrl_vq disabled, qemu may still advertise many features which depends it. This will trigger several BUG()s in virtnet_send_command(). This patch utilizes the fix_features() method, and disable all features that depends on ctrl_vq if it was not advertised.

Hi, OpenSSH 9.8p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a bugfix release. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via git using the instructions at

Package: logcheck Version: 1.3.15 Severity: minor Tags: patch Hi, Got this log from time to time in System Events: Oct 23 13:48:16 pig2 named[28880]: success resolving '26.0/25.218.183.203.in-addr.arpa/PTR' (in '0/25.218.183.203.in-addr.arpa'?) after reducing the advertised EDNS UDP packet size to 512 octets Changing the regexp for the "(in '...'?)"