mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-08-01 17:38:33 +00:00
fix: ensure correct ssh public key is used for authentication
- The root cause is described in b4f1988a35
- Move to a fork of `github.com/gliderlabs/ssh` that exposes the
permissions that was chosen by `x/crypto/ssh` after succesfully
authenticating, this is the recommended mitigation by the Golang
security team. The fork exposes this, since `gliderlabs/ssh` instead
relies on context values to do so, which is vulnerable to the same
attack, although partially mitigated by the fix in `x/crypto/ssh` it
would not be good practice and defense deep to rely on it.
- Existing tests covers that the functionality is preserved.
- No tests are added to ensure it fixes the described security, the
exploit relies on non-standard SSH behavior it would be too hard to
craft SSH packets to exploit this.
This commit is contained in:
Gusted
Earl Warren
parent
80179a373d
commit
3e1b03838e
3 changed files with 13 additions and 10 deletions
2
go.mod
2
go.mod
|
|
@ -301,3 +301,5 @@ replace github.com/nektos/act => code.forgejo.org/forgejo/act v1.22.0
|
|||
replace github.com/mholt/archiver/v3 => code.forgejo.org/forgejo/archiver/v3 v3.5.1
|
||||
|
||||
replace github.com/goccy/go-json => github.com/grafana/go-json v0.0.0-20241210211703-a119ee5a0a3b
|
||||
|
||||
replace github.com/gliderlabs/ssh => code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue