| Summary: | openssh new security issues CVE-2019-6109 and CVE-2019-6111 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, guillomovitch, herman.viaene, mageia, sysadmin-bugs, tmb |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | openssh-7.9p1-2.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2019-02-03 03:13:00 CET
David Walser
2019-02-03 03:13:21 CET
Assignee:
bugsquad =>
guillomovitch Debian has issued an advisory for two of these issues on February 9: https://www.debian.org/security/2019/dsa-4387 Ubuntu has as well on February 7: https://usn.ubuntu.com/3885-1/ Updated advisory from Ubuntu (the fix was incomplete) from March 4: https://usn.ubuntu.com/3885-2/ openSUSE has issued an advisory for this today (March 8): https://lists.opensuse.org/opensuse-updates/2019-03/msg00033.html OpenSSH 8.0p1 contains a fix for CVE-2019-6111: https://www.openwall.com/lists/oss-security/2019/04/18/1 openssh-8.0p1-1.mga7 uploaded for Cauldron by Guillaume. I'm not sure if it has fixes for CVE-2019-6109 or CVE-2019-6110. The upstream patch referenced by the Debian advisory for CVE-2019-6109 is included in openssh 8.0p1, so I'd say yes for this this one. I didn't found any reference to a patch for CVE-2019-6110, tough. Thanks. Looking over this again, it looks like nobody ended up fixing CVE-2019-6110 and upstream doesn't think it's worth trying and ultimately scp needs to be rewritten to use the sftp protocol underneath. We can issue an update for the other two issues. Whiteboard:
MGA6TOO =>
(none) Advisory: ======================== Updated openssh packages fix security vulnerabilities: Due to missing character encoding in the progress display, the object name can be used to manipulate the client output, for example to employ ANSI codes to hide additional files being transferred (CVE-2019-6109). Due to scp client insufficient input validation in path names sent by server, a malicious server can do arbitrary file overwrites in target directory. If the recursive (-r) option is provided, the server can also manipulate subdirectories as well (CVE-2019-6111). The check added in this version can lead to regression if the client and the server have differences in wildcard expansion rules. If the server is trusted for that purpose, the check can be disabled with a new -T option to the scp client. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6109 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 https://www.debian.org/security/2019/dsa-4387 ======================== Updated packages in core/updates_testing: ======================== openssh-7.5p1-2.4.mga6 openssh-clients-7.5p1-2.4.mga6 openssh-server-7.5p1-2.4.mga6 openssh-askpass-common-7.5p1-2.4.mga6 openssh-askpass-7.5p1-2.4.mga6 openssh-askpass-gnome-7.5p1-2.4.mga6 openssh-ldap-7.5p1-2.4.mga6 from openssh-7.5p1-2.4.mga6.src.rpm CC:
(none) =>
guillomovitch MGA6-64 Plasma on Lenovo B50
No instalation isssues
Testing locally on this machine:
# systemctl start sshd
# systemctl -l status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since zo 2019-05-05 14:10:48 CEST; 24s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 28393 (sshd)
CGroup: /system.slice/sshd.service
└─28393 /usr/sbin/sshd -D
mei 05 14:10:48 mach5.hviaene.thuis systemd[1]: Starting OpenSSH server daemon...
mei 05 14:10:48 mach5.hviaene.thuis sshd[28393]: Server listening on 0.0.0.0 port 22.
mei 05 14:10:48 mach5.hviaene.thuis sshd[28393]: Server listening on :: port 22.
mei 05 14:10:48 mach5.hviaene.thuis systemd[1]: Started OpenSSH server daemon.
# ssh tester6@<mylaptop>
Password:
Last login: Sun May 5 14:13:37 2019 from fe80::b66d:83ff:fe0d:c14%wlp9s0
[tester6@mach5 ~]$ pwd
/home/tester6
Seems to work OK.CC:
(none) =>
herman.viaene Installed and tested without issues. Tests: - normal shell (client and server); - sshfs mount (client and server); - git clone from github using ssh (client); - sftp copy (client and server); - rsync (client and server); System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.14.106-desktop-1.mga6 #1 SMP Thu Mar 14 18:01:29 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep openssh | sort openssh-7.5p1-2.4.mga6 openssh-askpass-7.5p1-2.4.mga6 openssh-askpass-common-7.5p1-2.4.mga6 openssh-askpass-qt5-2.0.3-1.mga6 openssh-clients-7.5p1-2.4.mga6 openssh-server-7.5p1-2.4.mga6 CC:
(none) =>
mageia Validating. Advisory in Comment 9. Keywords:
(none) =>
validated_update
Thomas Backlund
2019-05-12 09:47:30 CEST
CC:
(none) =>
tmb An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0156.html Status:
NEW =>
RESOLVED |