serv/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-27 06:03:51 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
forgejo/modules/ssh
History
Gusted f7cb37ca5a
fix: ensure correct ssh public key is used for authentication 
- The root cause is described in b4f1988a35
- Move to a fork of `github.com/gliderlabs/ssh` that exposes the
permissions that was chosen by `x/crypto/ssh` after succesfully
authenticating, this is the recommended mitigation by the Golang
security team. The fork exposes this, since `gliderlabs/ssh` instead
relies on context values to do so, which is vulnerable to the same
attack, although partially mitigated by the fix in `x/crypto/ssh` it
would not be good practice and defense deep to rely on it.
- Existing tests covers that the functionality is preserved.
- No tests are added to ensure it fixes the described security, the
exploit relies on non-standard SSH behavior it would be too hard to
craft SSH packets to exploit this.

(cherry picked from commit 3e1b03838e)

Conflicts:
	go.mod
	go.sum
  trivial context conflict
2024-12-12 07:02:14 +01:00
..
init.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
ssh.go fix: ensure correct ssh public key is used for authentication 2024-12-12 07:02:14 +01:00
ssh_graceful.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00