hi, i'd like to kindly ask if the patches that are included in
snapshots could somehow be provided to the people running the
snapshots, in some way, like source-changes@?
one part of free and open source software is that i know which code
i am running.
and i am obviously totally fine with testing stuff, but... this
is reeaally sensitive stuff that'd be nice to know about if i am
running it on my system.
thank you.
On Sun, Oct 13, 2024 at 07:57:50PM -0600, Damien Miller wrote:
> CVSROOT: /cvs
> Module name: src
> Changes by: djm@cvs.openbsd.org 2024/10/13 19:57:50
>
> Modified files:
> usr.bin/ssh : Makefile Makefile.inc log.c monitor.c monitor.h
> monitor_wrap.c monitor_wrap.h pathnames.h
> sandbox-pledge.c sandbox-rlimit.c servconf.c
> servconf.h session.c ssh-sandbox.h
> sshd-session.c sshd.c
> usr.bin/ssh/sshd-session: Makefile
> Added files:
> usr.bin/ssh : sshd-auth.c
> usr.bin/ssh/sshd-auth: Makefile
>
> Log message:
> Split per-connection sshd-session binary
>
> This splits the user authentication code from the sshd-session
> binary into a separate sshd-auth binary. This will be executed by
> sshd-session to complete the user authentication phase of the
> protocol only.
>
> Splitting this code into a separate binary ensures that the crucial
> pre-authentication attack surface has an entirely disjoint address
> space from the code used for the rest of the connection. It also
> yields a small runtime memory saving as the authentication code will
> be unloaded after thhe authentication phase completes.
>
> Joint work with markus@ feedback deraadt@
>
> Tested in snaps since last week
>
No comments:
Post a Comment