diff --git a/openssh-9.9p1-maxstartups-mistracking.patch b/openssh-9.9p1-maxstartups-mistracking.patch new file mode 100644 index 0000000..0e92903 --- /dev/null +++ b/openssh-9.9p1-maxstartups-mistracking.patch @@ -0,0 +1,73 @@ +diff --color -ruNp a/srclimit.c b/srclimit.c +--- a/srclimit.c 2024-09-20 00:20:48.000000000 +0200 ++++ b/srclimit.c 2026-03-06 13:30:48.408309619 +0100 +@@ -427,7 +427,9 @@ srclimit_penalise(struct xaddr *addr, in + penalty->active = 1; + if (RB_INSERT(penalties_by_expiry, by_expiry, penalty) != NULL) + fatal_f("internal error: %s penalty tables corrupt", t); +- verbose_f("%s: new %s %s penalty of %d seconds for %s", t, ++ do_log2_f(penalty->active ? ++ SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_VERBOSE, ++ "%s: new %s %s penalty of %d seconds for %s", t, + addrnetmask, penalty->active ? "active" : "deferred", + penalty_secs, reason); + if (++(*npenaltiesp) > (size_t)max_sources) +@@ -446,7 +448,7 @@ srclimit_penalise(struct xaddr *addr, in + existing->expiry = now + penalty_cfg.penalty_max; + if (existing->expiry - now > penalty_cfg.penalty_min && + !existing->active) { +- verbose_f("%s: activating %s penalty of %lld seconds for %s", ++ logit_f("%s: activating %s penalty of %lld seconds for %s", + addrnetmask, t, (long long)(existing->expiry - now), + reason); + existing->active = 1; +diff --color -ruNp a/sshd.c b/sshd.c +--- a/sshd.c 2026-03-06 13:10:52.653617548 +0100 ++++ b/sshd.c 2026-03-06 13:24:50.865079998 +0100 +@@ -291,8 +291,10 @@ child_finish(struct early_child *child) + { + if (children_active == 0) + fatal_f("internal error: children_active underflow"); +- if (child->pipefd != -1) ++ if (child->pipefd != -1) { ++ srclimit_done(child->pipefd); + close(child->pipefd); ++ } + free(child->id); + memset(child, '\0', sizeof(*child)); + child->pipefd = -1; +@@ -311,6 +313,7 @@ child_close(struct early_child *child, i + if (!quiet) + debug_f("enter%s", force_final ? " (forcing)" : ""); + if (child->pipefd != -1) { ++ srclimit_done(child->pipefd); + close(child->pipefd); + child->pipefd = -1; + } +@@ -978,10 +981,11 @@ server_accept_loop(int *sock_in, int *so + } + /* FALLTHROUGH */ + case 0: +- /* child exited preauth */ ++ /* child closed pipe */ + if (children[i].early) + listening--; +- srclimit_done(children[i].pipefd); ++ debug3_f("child %lu for %s closed pipe", ++ (long)children[i].pid, children[i].id); + child_close(&(children[i]), 0, 0); + break; + case 1: +@@ -1003,6 +1007,12 @@ server_accept_loop(int *sock_in, int *so + "child %ld for %s in state %d", + (int)c, (long)children[i].pid, + children[i].id, children[i].early); ++ ++ if (children[i].early) ++ listening--; ++ if (children[i].pid > 0) ++ kill(children[i].pid, SIGTERM); ++ child_close(&(children[i]), 0, 0); + } + break; + } diff --git a/openssh.spec b/openssh.spec index 4e73516..2c60682 100644 --- a/openssh.spec +++ b/openssh.spec @@ -234,6 +234,9 @@ Patch1036: openssh-9.9p1-gssapi-s4u.patch # upstream 19f7cb39eecb4b8f768f37e8294dc3a9142e022b # upstream 97b32fa2af25c16aec4de85c5cbb63fd038b4dfa Patch1037: openssh-9.9p1-first-match-wins.patch +# upstream eddd1d2daa64a6ab1a915ca88436fa41aede44d4 +# upstream bc328144f149af07139a0f2c1329018cd85b86b7 +Patch1038: openssh-9.9p1-maxstartups-mistracking.patch License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant Requires: /sbin/nologin @@ -435,6 +438,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0} %patch -P 1035 -p1 -b .mlkem-nist-fips %patch -P 1036 -p1 -b .gssapi-s4u %patch -P 1037 -p1 -b .first-match-wins +%patch -P 1038 -p1 -b .maxstartups-mistracking %patch -P 100 -p1 -b .coverity @@ -721,6 +725,8 @@ test -f %{sysconfig_anaconda} && \ - Only the first value of MaxStartups, PerSourceNetBlockSize and IPQoS in sshd_config should count when defined multiple times Resolves: RHEL-150365 +- Fix mistracking of MaxStartups process exits in some situations + Resolves: RHEL-121768 * Wed Mar 11 2026 Dmitry Belyavskiy - 9.9p1-21 - Implement obtaining Kerberos tickets on behalf of user on SSH authentication