Bug 13164

Summary: openssh new security issue CVE-2014-2653
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: cjwatson, mageia, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/593604/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: openssh-6.2p2-3.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-04-07 23:27:06 CEST 
Debian has issued an advisory on April 5:
https://www.debian.org/security/2014/dsa-2894

Patched packages uploaded for Mageia 3 and Mageia 4.

Cauldron is not affected, as it was fixed upstream in 6.6p1.

Advisory:
========================

Updated openssh packages fix security vulnerability:

Matthew Vernon reported that if a SSH server offers a HostCertificate that
the ssh client doesn't accept, then the client doesn't check the DNS for
SSHFP records. As a consequence a malicious server can disable SSHFP-checking
by presenting a certificate (CVE-2014-2653).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653
https://www.debian.org/security/2014/dsa-2894
========================

Updated packages in core/updates_testing:
========================
openssh-6.1p1-4.3.mga3
openssh-clients-6.1p1-4.3.mga3
openssh-server-6.1p1-4.3.mga3
openssh-askpass-common-6.1p1-4.3.mga3
openssh-askpass-6.1p1-4.3.mga3
openssh-askpass-gnome-6.1p1-4.3.mga3
openssh-ldap-6.1p1-4.3.mga3
openssh-6.2p2-3.2.mga4
openssh-clients-6.2p2-3.2.mga4
openssh-server-6.2p2-3.2.mga4
openssh-askpass-common-6.2p2-3.2.mga4
openssh-askpass-6.2p2-3.2.mga4
openssh-askpass-gnome-6.2p2-3.2.mga4
openssh-ldap-6.2p2-3.2.mga4

from SRPMS:
openssh-6.1p1-4.3.mga3.src.rpm
openssh-6.2p2-3.2.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-04-07 23:27:23 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 claire robinson 2014-04-08 11:25:10 CEST 
No PoC.

Testing complete mga4 32 & 64

Just used ssh to connect from one to the other and back again.

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-32-ok mga4-64-ok

Comment 2 claire robinson 2014-04-08 12:18:35 CEST 
Testing complete mga3 32 & 64

Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 3 claire robinson 2014-04-08 12:21:56 CEST 
Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 4 Damien Lallement 2014-04-08 14:50:20 CEST 
http://advisories.mageia.org/MGASA-2014-0166.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED

Comment 5 Colin Watson 2014-04-09 14:18:25 CEST 
It's not correct that this bug was fixed upstream in 6.6p1.  We discovered it in Debian and (after consultation with upstream) pushed a fix together with our first upload of 6.6p1; but 6.6p1 itself doesn't contain the fix.  Therefore I believe Cauldron is in fact still vulnerable.

CC: (none) => cjwatson

Comment 6 David Walser 2014-04-09 14:36:41 CEST 
(In reply to Colin Watson from comment #5)
> It's not correct that this bug was fixed upstream in 6.6p1.  We discovered
> it in Debian and (after consultation with upstream) pushed a fix together
> with our first upload of 6.6p1; but 6.6p1 itself doesn't contain the fix. 
> Therefore I believe Cauldron is in fact still vulnerable.

Thanks for letting us know!  I'll grab the patch and apply it later today.
Comment 7 David Walser 2014-04-09 16:19:29 CEST 
(In reply to David Walser from comment #6)
> (In reply to Colin Watson from comment #5)
> > It's not correct that this bug was fixed upstream in 6.6p1.  We discovered
> > it in Debian and (after consultation with upstream) pushed a fix together
> > with our first upload of 6.6p1; but 6.6p1 itself doesn't contain the fix. 
> > Therefore I believe Cauldron is in fact still vulnerable.
> 
> Thanks for letting us know!  I'll grab the patch and apply it later today.

Done.  Thanks again!