The branch main has been updated by emaste:
URL:
https://cgit.FreeBSD.org/src/commit/?id=8a16d0831e70530b2fbd682e748bd051de35f192
commit 8a16d0831e70530b2fbd682e748bd051de35f192
Author: Ed Maste <ema...@freebsd.org>
AuthorDate: 2025-02-19 03:00:45 +0000
Commit: Ed Maste <ema...@freebsd.org>
CommitDate: 2025-02-19 12:25:55 +0000
ssh: Don't reply to PING in preauth phase or during KEX
Obtained from: OpenSSH 5e07dee272c3
Security: CVE-2025-26466
Sponsored by: The FreeBSD Foundation
---
crypto/openssh/packet.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c
index 2d1401e7c9f5..d8fbfa28b800 100644
--- a/crypto/openssh/packet.c
+++ b/crypto/openssh/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.313 2023/12/18 14:45:17 djm Exp $ */
+/* $OpenBSD: packet.c,v 1.318 2025/02/18 08:02:12 djm Exp $ */
/*
* Author: Tatu Ylonen <y...@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <y...@cs.hut.fi>, Espoo, Finland
@@ -1774,6 +1774,14 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char
*typep, u_int32_t *seqnr_p)
if ((r = sshpkt_get_string_direct(ssh, &d, &len)) != 0)
return r;
DBG(debug("Received SSH2_MSG_PING len %zu", len));
+ if (!ssh->state->after_authentication) {
+ DBG(debug("Won't reply to PING in preauth"));
+ break;
+ }
+ if (ssh_packet_is_rekeying(ssh)) {
+ DBG(debug("Won't reply to PING during KEX"));
+ break;
+ }
if ((r = sshpkt_start(ssh, SSH2_MSG_PONG)) != 0 ||
(r = sshpkt_put_string(ssh, d, len)) != 0 ||
(r = sshpkt_send(ssh)) != 0)
