diff --git a/SPECS/cert-manager/CVE-2024-45337.patch b/SPECS/cert-manager/CVE-2024-45337.patch deleted file mode 100644 index 41cdea3ce45..00000000000 --- a/SPECS/cert-manager/CVE-2024-45337.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 784057d777784f1737dbf5d660f32bf2577add4c Mon Sep 17 00:00:00 2001 -From: Roland Shoemaker -Date: Tue, 3 Dec 2024 09:03:03 -0800 -Subject: [PATCH] ssh: make the public key cache a 1-entry FIFO cache - -Users of the the ssh package seem to extremely commonly misuse the -PublicKeyCallback API, assuming that the key passed in the last call -before a connection is established is the key used for authentication. -Some users then make authorization decisions based on this key. This -property is not documented, and may not be correct, due to the caching -behavior of the package, resulting in users making incorrect -authorization decisions about the connection. - -This change makes the cache a one entry FIFO cache, making the assumed -property, that the last call to PublicKeyCallback represents the key -actually used for authentication, actually hold. - -Thanks to Damien Tournoud, Patrick Dawkins, Vince Parker, and -Jules Duvivier from the Platform.sh / Upsun engineering team -for reporting this issue. - -Fixes golang/go#70779 -Fixes CVE-2024-45337 - -Change-Id: Ife7c7b4045d8b6bcd7e3a417bdfae370c709797f -Reviewed-on: https://go-review.googlesource.com/c/crypto/+/635315 -Reviewed-by: Roland Shoemaker -Auto-Submit: Gopher Robot -Reviewed-by: Damien Neil -Reviewed-by: Nicola Murino -LUCI-TryBot-Result: Go LUCI -Signed-off-by: Muhammad Falak R Wani ---- - .../vendor/golang.org/x/crypto/ssh/server.go | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - -diff --git a/cmd/controller/vendor/golang.org/x/crypto/ssh/server.go b/cmd/controller/vendor/golang.org/x/crypto/ssh/server.go -index 3ca9e89..a8b673c 100644 ---- a/cmd/controller/vendor/golang.org/x/crypto/ssh/server.go -+++ b/cmd/controller/vendor/golang.org/x/crypto/ssh/server.go -@@ -149,7 +149,7 @@ func (s *ServerConfig) AddHostKey(key Signer) { - } - - // cachedPubKey contains the results of querying whether a public key is --// acceptable for a user. -+// acceptable for a user. This is a FIFO cache. - type cachedPubKey struct { - user string - pubKeyData []byte -@@ -157,7 +157,13 @@ type cachedPubKey struct { - perms *Permissions - } - --const maxCachedPubKeys = 16 -+// maxCachedPubKeys is the number of cache entries we store. -+// -+// Due to consistent misuse of the PublicKeyCallback API, we have reduced this -+// to 1, such that the only key in the cache is the most recently seen one. This -+// forces the behavior that the last call to PublicKeyCallback will always be -+// with the key that is used for authentication. -+const maxCachedPubKeys = 1 - - // pubKeyCache caches tests for public keys. Since SSH clients - // will query whether a public key is acceptable before attempting to -@@ -179,9 +185,10 @@ func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) { - - // add adds the given tuple to the cache. - func (c *pubKeyCache) add(candidate cachedPubKey) { -- if len(c.keys) < maxCachedPubKeys { -- c.keys = append(c.keys, candidate) -+ if len(c.keys) >= maxCachedPubKeys { -+ c.keys = c.keys[1:] - } -+ c.keys = append(c.keys, candidate) - } - - // ServerConn is an authenticated SSH connection, as seen from the --- -2.34.1 - diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec index d3186f8005b..bb266b68a31 100644 --- a/SPECS/cert-manager/cert-manager.spec +++ b/SPECS/cert-manager/cert-manager.spec @@ -13,8 +13,7 @@ Source0: https://github.com/jetstack/%{name}/archive/refs/tags/v%{version # 1. wget https://github.com/jetstack/%%{name}/archive/refs/tags/v%%{version}.tar.gz -O %%{name}-%%{version}.tar.gz # 2. /SPECS/cert-manager/generate_source_tarball.sh --srcTarball %%{name}-%%{version}.tar.gz --pkgVersion %%{version} Source1: %{name}-%{version}-vendor.tar.gz -Patch0: CVE-2024-45337.patch -Patch1: CVE-2024-45338.patch +Patch0: CVE-2024-45338.patch BuildRequires: golang Requires: %{name}-acmesolver Requires: %{name}-cainjector @@ -105,8 +104,9 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/ %{_bindir}/webhook %changelog -* Mon Jan 20 2025 CBL-Mariner Servicing Account - 1.12.15-1 -- Auto-upgrade to 1.12.15 - none +* Mon Jan 27 2025 Rohit Rawat - 1.12.15-1 +- Upgrade to 1.12.15 - to fix CVE-2024-12401 +- Remove CVE-2024-45337.patch as it is fixed in 1.12.15 * Tue Dec 31 2024 Rohit Rawat - 1.12.13-3 - Add patch for CVE-2024-45338