Bug 16266

Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated openssh packages fix security vulnerability:

In Portable OpenSSH before 6.9p1, when forwarding X11 connections with
ForwardX11Trusted=no, connections made after ForwardX11Timeout expired could
be permitted and no longer subject to XSECURITY restrictions because of an
ineffective timeout check in ssh (CVE-2015-5352).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5352
http://openwall.com/lists/oss-security/2015/07/01/10
========================

Updated packages in core/updates_testing:
========================
openssh-6.2p2-3.3.mga4
openssh-clients-6.2p2-3.3.mga4
openssh-server-6.2p2-3.3.mga4
openssh-askpass-common-6.2p2-3.3.mga4
openssh-askpass-6.2p2-3.3.mga4
openssh-askpass-gnome-6.2p2-3.3.mga4
openssh-ldap-6.2p2-3.3.mga4
openssh-6.6p1-5.1.mga5
openssh-clients-6.6p1-5.1.mga5
openssh-server-6.6p1-5.1.mga5
openssh-askpass-common-6.6p1-5.1.mga5
openssh-askpass-6.6p1-5.1.mga5
openssh-askpass-gnome-6.6p1-5.1.mga5
openssh-ldap-6.6p1-5.1.mga5

from SRPMS:
openssh-6.2p2-3.3.mga4.src.rpm
openssh-6.6p1-5.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: guillomovitch => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Advisory committed to svn.

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO => MGA4TOO advisory

In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
openssh openssh-clients openssh-server

default install of openssh openssh-clients & openssh-server

[root@localhost wilcal]# urpmi openssh
Package openssh-6.2p2-3.2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.2p2-3.2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.2p2-3.2.mga4.i586 is already installed

Putty can connect to an external ssh server
Putty on another M5 system can connect to Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

install openssh openssh-clients & openssh-server from updates_testing

[root@localhost wilcal]# urpmi openssh
Package openssh-6.2p2-3.3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.2p2-3.3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.2p2-3.3.mga4.i586 is already installed

Putty can connect to an external ssh server
Putty on another M5 system can connect to Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64

CC: (none) => wilcal.int

In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
openssh openssh-clients openssh-server openssh-askpass

default install of openssh openssh-clients openssh-server & openssh-askpass

[root@localhost wilcal]# urpmi openssh
Package openssh-6.2p2-3.2.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.2p2-3.2.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.2p2-3.2.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-askpass
Package openssh-askpass-6.2p2-3.2.mga4.x86_64 is already installed

Putty can connect to an external ssh server
Putty on another M5 system can connect to Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

install openssh openssh-clients & openssh-server from updates_testing

[root@localhost wilcal]# urpmi openssh
Package openssh-6.2p2-3.3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.2p2-3.3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.2p2-3.3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-askpass
Package openssh-askpass-6.2p2-3.3.mga4.x86_64 is already installed

Putty can connect to an external ssh server
Putty on another M5 system can connect to Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64

In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
openssh openssh-clients openssh-server openssh-askpass

default install of openssh openssh-clients openssh-server & openssh-askpass

[root@localhost wilcal]# urpmi openssh
Package openssh-6.6p1-5.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.6p1-5.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.6p1-5.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-askpass
Package openssh-askpass-6.6p1-5.mga5.i586 is already installed

Putty can connect to an external ssh server
Putty on another M5 system can connect to Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

install openssh openssh-clients openssh-server & openssh-askpass
from updates_testing

[root@localhost wilcal]# urpmi openssh
Package openssh-6.6p1-5.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.6p1-5.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.6p1-5.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-askpass
Package openssh-askpass-6.6p1-5.1.mga5.i586 is already installed

Putty can connect to an external ssh server
Putty on another M5 system can connect to Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64

In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
openssh openssh-clients openssh-server openssh-askpass

default install of openssh openssh-clients openssh-server & openssh-askpass

[root@localhost wilcal]# urpmi openssh
Package openssh-6.6p1-5.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.6p1-5.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.6p1-5.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-askpass
Package openssh-askpass-6.6p1-5.mga5.x86_64 is already installed

Putty can connect to an external ssh server
Putty on another M5 system can connect to Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

install openssh openssh-clients openssh-server & openssh-askpass
from updates_testing

[root@localhost wilcal]# urpmi openssh
Package openssh-6.6p1-5.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.6p1-5.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.6p1-5.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-askpass
Package openssh-askpass-6.6p1-5.1.mga5.x86_64 is already installed

Putty can connect to an external ssh server
Putty on another M5 system can connect to Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64

Looks good. What you say David(s)?

(In reply to William Kenney from comment #7)
> Looks good. What you say David(s)?

It wasn't clear from your testing reports if you were SSH'ing *to* the machine running the openssh-server you were testing (using PuTTY or otherwise).  If you were, then yes it sounds OK.

I just checked and the setting mentioned in the advisory is not the default, and the comments there say changing it is unlikely to work correctly in most cases, so this issue probably doesn't actually affect anybody anyway :o)

(In reply to David Walser from comment #8)

> It wasn't clear from your testing reports if you were SSH'ing *to* the
> machine running the openssh-server you were testing (using PuTTY or
> otherwise).  If you were, then yes it sounds OK.

Two completely different machines on the LAN. One a Vbox client under test that talks SSH to a real machine on the LAN. Then Visa Versa.

This update works fine.
Testing complete for mga4/5 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push #####.adv to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0271.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED