Displaying 20 results from an estimated 10000 matches similar to: "[Bug 3709] New: PerSourceMaxStartups no longer works as advertised"
2024 Apr 25
1
An Analysis of the DHEat DoS Against SSH in Cloud Environments
A few days ago, I published an article analyzing the susceptibility of
the DHEat denial-of-service vulnerability against default OpenSSH
settings in cloud environments. I thought those on this list might be
interested:
https://www.positronsecurity.com/blog/2024-04-23-an-analysis-of-dheat-dos-against-ssh-in-cloud-environments/
A short summary: the default MaxStartup setting is fully ineffective
2024 Jun 19
1
An Analysis of the DHEat DoS Against SSH in Cloud Environments
In the upcoming v9.8 release notes I see "the server will now block
client addresses that repeatedly fail authentication, repeatedly
connect without ever completing authentication or that crash the
server." Has this new PerSourcePenalties config directive been tested
against the DHEat attack?
- Joe
On Thu, 2024-04-25 at 18:09 -0400, Joseph S. Testa II wrote:
> A few days ago, I
2024 Jul 03
5
[Bug 3706] New: Support upgrading sshd without restarting the server
https://bugzilla.mindrot.org/show_bug.cgi?id=3706
Bug ID: 3706
Summary: Support upgrading sshd without restarting the server
Product: Portable OpenSSH
Version: -current
Hardware: amd64
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee:
2024 Jun 25
3
An Analysis of the DHEat DoS Against SSH in Cloud Environments
On Wed, 2024-06-19 at 16:11 -0400, Joseph S. Testa II wrote:
> I suppose in the next few days, I'll try reproducing my original
> steps
> with the new version and see what happens.
I managed to do some limited testing with a local VM, and the results
are... interesting.
I installed openssh-SNAP-20240626.tar.gz on a fresh and fully-updated
Ubuntu Linux 24.04 LTS VM with 1 vCPU.
2010 Mar 30
3
[Bug 1747] New: AuthorizedKeysFile not working as advertised
https://bugzilla.mindrot.org/show_bug.cgi?id=1747
Summary: AuthorizedKeysFile not working as advertised
Product: Portable OpenSSH
Version: 5.4p1
Platform: Other
OS/Version: Linux
Status: NEW
Severity: major
Priority: P2
Component: sshd
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy:
2024 Jul 16
1
[Bug 3711] New: How do you defend against the D (HE) ater attack?
https://bugzilla.mindrot.org/show_bug.cgi?id=3711
Bug ID: 3711
Summary: How do you defend against the D (HE) ater attack?
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: All
Status: NEW
Severity: security
Priority: P5
Component: sshd
Assignee: unassigned-bugs at
2024 Jun 18
2
Call for testing: openssh-9.8
On Tue, 18 Jun 2024, Chris Rapier wrote:
> Just curious, has this been tested at scale? I see that there are, by
> default, a maximum number of hosts it can track (default of 64k it
> seems). At that point I think one of two things happen - sshd stops
> allowing all connections until some of the banned IPs age out (with
> the exception of those IPs on an approved list) or it drops
2024 Jun 19
2
An Analysis of the DHEat DoS Against SSH in Cloud Environments
On Wed, 2024-06-19 at 09:19 -0400, chris wrote:
> real world example (current snapshot of portable on linux v. dheater)
Thanks for this. However, much more extensive testing would be needed
to show it is a complete solution. In my original research article, I
used CPU idle time as the main metric. Also, I showed that very low-
latency network links could bypass the existing countermeasures.
2011 Apr 21
0
AST-2011-005: File Descriptor Resource Exhaustion
Asterisk Project Security Advisory - AST-2011-005
Product Asterisk
Summary File Descriptor Resource Exhaustion
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated TCP Based Sessions (TCP SIP,
Skinny,
2011 Apr 21
0
AST-2011-005: File Descriptor Resource Exhaustion
Asterisk Project Security Advisory - AST-2011-005
Product Asterisk
Summary File Descriptor Resource Exhaustion
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated TCP Based Sessions (TCP SIP,
Skinny,
2008 Mar 18
0
AST-2008-003: Unauthenticated calls allowed from SIP channel driver
Asterisk Project Security Advisory - AST-2008-003
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Unauthenticated calls allowed from SIP channel |
| | driver
2008 Mar 18
0
AST-2008-003: Unauthenticated calls allowed from SIP channel driver
Asterisk Project Security Advisory - AST-2008-003
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Unauthenticated calls allowed from SIP channel |
| | driver
2024 Jun 19
1
An Analysis of the DHEat DoS Against SSH in Cloud Environments
On Tue, 18 Jun 2024, Joseph S. Testa II wrote:
> In the upcoming v9.8 release notes I see "the server will now block
> client addresses that repeatedly fail authentication, repeatedly
> connect without ever completing authentication or that crash the
> server." Has this new PerSourcePenalties config directive been tested
> against the DHEat attack?
Not explicitly but
2007 Apr 24
0
ASA-2007-010: Two stack buffer overflows in SIP channel's T.38 SDP parsing code
> Asterisk Project Security Advisory - ASA-2007-010
>
> +------------------------------------------------------------------------+
> | Product | Asterisk |
> |--------------------+---------------------------------------------------|
> | Summary | Two stack buffer overflows in SIP
2007 Apr 24
0
ASA-2007-010: Two stack buffer overflows in SIP channel's T.38 SDP parsing code
> Asterisk Project Security Advisory - ASA-2007-010
>
> +------------------------------------------------------------------------+
> | Product | Asterisk |
> |--------------------+---------------------------------------------------|
> | Summary | Two stack buffer overflows in SIP
2014 Nov 13
0
[PATCH 2/2] virtio-net: fix buggy features advertised by host
This patch tries to detect the possible buggy features advertised by host
and fix them. One example is current booting virtio-net with only
ctrl_vq disabled, qemu may still advertise many features which depends
it. This will trigger several BUG()s in virtnet_send_command().
This patch utilizes the fix_features() method, and disable all features that
depends on ctrl_vq if it was not advertised.
2014 Nov 13
0
[PATCH 2/2] virtio-net: fix buggy features advertised by host
This patch tries to detect the possible buggy features advertised by host
and fix them. One example is booting virtio-net with only ctrl_vq disabled,
qemu may still advertise many features which depends on it. This will
trigger several BUG()s in virtnet_send_command().
This patch utilizes the fix_features() method, and disables all features that
depends on ctrl_vq if it was not advertised.
This
2014 Nov 13
0
[PATCH 2/2] virtio-net: fix buggy features advertised by host
This patch tries to detect the possible buggy features advertised by host
and fix them. One example is current booting virtio-net with only
ctrl_vq disabled, qemu may still advertise many features which depends
it. This will trigger several BUG()s in virtnet_send_command().
This patch utilizes the fix_features() method, and disable all features that
depends on ctrl_vq if it was not advertised.
2024 Jun 18
7
Call for testing: openssh-9.8
Hi,
OpenSSH 9.8p1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a bugfix release.
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html
Portable OpenSSH is also available via git using the
instructions at
2012 Oct 23
0
Bug#691258: Missing / in RE for "reducing the advertised EDNS UDP packet size"
Package: logcheck
Version: 1.3.15
Severity: minor
Tags: patch
Hi,
Got this log from time to time in System Events:
Oct 23 13:48:16 pig2 named[28880]: success resolving '26.0/25.218.183.203.in-addr.arpa/PTR' (in '0/25.218.183.203.in-addr.arpa'?) after reducing the advertised EDNS UDP packet size to 512 octets
Changing the regexp for the "(in '...'?)"