upstream commit

Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger. Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@ NB. pre-auth authentication has been disabled by default in sshd for >10 years. Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
author: djm@openbsd.org <djm@openbsd.org> 2016-09-28 16:33:06 +0000
committer: Damien Miller <djm@mindrot.org> 2016-09-29 03:11:32 +1000
commit: 0082fba4efdd492f765ed4c53f0d0fbd3bdbdf7f (patch)
tree: b0271896ec4d6c0e716821954212677438824a05 /myproposal.h
parent: 27c3a9c2aede2184856b5de1e6eca414bb751c38 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/myproposal.h b/myproposal.h
index 4729b30b0..072e36ec7 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.53 2016/09/22 17:52:53 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.54 2016/09/28 16:33:07 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -167,7 +167,7 @@
 #endif /* WITH_OPENSSL */
-#define KEX_DEFAULT_COMP        "none,zlib@openssh.com,zlib"
+#define KEX_DEFAULT_COMP        "none,zlib@openssh.com"
 #define KEX_DEFAULT_LANG        ""
 #define KEX_CLIENT \
author	djm@openbsd.org <djm@openbsd.org>	2016-09-28 16:33:06 +0000
committer	Damien Miller <djm@mindrot.org>	2016-09-29 03:11:32 +1000
commit	0082fba4efdd492f765ed4c53f0d0fbd3bdbdf7f (patch)
tree	b0271896ec4d6c0e716821954212677438824a05 /myproposal.h
parent	27c3a9c2aede2184856b5de1e6eca414bb751c38 (diff)

diff --git a/myproposal.h b/myproposal.h index 4729b30b0..072e36ec7 100644 --- a/myproposal.h +++ b/myproposal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: myproposal.h,v 1.53 2016/09/22 17:52:53 djm Exp $ */	1	/* $OpenBSD: myproposal.h,v 1.54 2016/09/28 16:33:07 djm Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2000 Markus Friedl. All rights reserved.	4	* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -167,7 +167,7 @@
167		167
168	#endif /* WITH_OPENSSL */	168	#endif /* WITH_OPENSSL */
169		169
170	#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"	170	#define KEX_DEFAULT_COMP "none,zlib@openssh.com"
171	#define KEX_DEFAULT_LANG ""	171	#define KEX_DEFAULT_LANG ""
172		172
173	#define KEX_CLIENT \	173	#define KEX_CLIENT \