Bug 29001

Summary:	openssh new security issue CVE-2021-28041
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	brtians1, mageia, ouaurelien, sysadmin-bugs
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	openssh-8.4p1-2.mga8.src.rpm	CVE:	CVE-2021-28041
Status comment:

Description David Walser 2021-05-29 00:25:36 CEST

Ubuntu has issued an advisory on March 10:
https://ubuntu.com/security/notices/USN-4762-1

The issue is fixed upstream in 8.5.

Mageia 7 is also affected.

David Walser 2021-05-29 00:25:51 CEST

CC: (none) => mageia
Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 8.5

Comment 1 David Walser 2021-05-29 19:43:49 CEST

Fedora has issued an advisory for this on March 23:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TXST2CML2MWY3PNVUXX7FFJE3ATJMNVZ/

The issue was introduced in 8.2, so Mageia 7 isn't affected.

Whiteboard: MGA7TOO => (none)
Status comment: Fixed upstream in 8.5 => Fixed upstream in 8.5p1

Comment 2 Lewis Smith 2021-05-29 21:47:54 CEST

Assigtning to Guillaume, the registered & active 'openssh' maintainer.

Assignee: bugsquad => guillomovitch

Comment 3 Thomas Backlund 2021-06-12 22:18:51 CEST

SRPM:
openssh-8.4p1-2.1.mga8.src.rpm


i586:
openssh-8.4p1-2.1.mga8.i586.rpm
openssh-askpass-common-8.4p1-2.1.mga8.i586.rpm
openssh-askpass-gnome-8.4p1-2.1.mga8.i586.rpm
openssh-clients-8.4p1-2.1.mga8.i586.rpm
openssh-server-8.4p1-2.1.mga8.i586.rpm


x86_64:
openssh-8.4p1-2.1.mga8.x86_64.rpm
openssh-askpass-common-8.4p1-2.1.mga8.x86_64.rpm
openssh-askpass-gnome-8.4p1-2.1.mga8.x86_64.rpm
openssh-clients-8.4p1-2.1.mga8.x86_64.rpm
openssh-server-8.4p1-2.1.mga8.x86_64.rpm

Assignee: guillomovitch => qa-bugs

Comment 4 Brian Rockwell 2021-06-15 17:23:23 CEST

MGA8 - 64 bit 


- openssh-8.4p1-2.1.mga8.x86_64
- openssh-clients-8.4p1-2.1.mga8.x86_64

---

generated a new ssh key using ssh-keygen

I am able to ssh to remove server.

Thank goodness, this fixes a long standing issue I've been suffering in MGA8.

CC: (none) => brtians1

Comment 5 Aurelien Oudelet 2021-06-15 21:55:45 CEST

Advisory:
========================

Updated openssh packages fix a security vulnerability:

ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host (CVE-2021-28041). 

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29001
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28041
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TXST2CML2MWY3PNVUXX7FFJE3ATJMNVZ/
 - https://ubuntu.com/security/notices/USN-4762-1
========================

Updated packages in core/updates_testing:
========================
openssh-8.4p1-2.1.mga8
openssh-askpass-common-8.4p1-2.1.mga8
openssh-askpass-gnome-8.4p1-2.1.mga8
openssh-clients-8.4p1-2.1.mga8
openssh-server-8.4p1-2.1.mga8

from SRPM:
openssh-8.4p1-2.1.mga8.src.rpm

CVE: (none) => CVE-2021-28041
Keywords: (none) => advisory
Status comment: Fixed upstream in 8.5p1 => (none)
CC: (none) => ouaurelien

Comment 6 Aurelien Oudelet 2021-06-15 21:56:31 CEST

(In reply to Brian Rockwell from comment #4)
> MGA8 - 64 bit 
> 
> 
> - openssh-8.4p1-2.1.mga8.x86_64
> - openssh-clients-8.4p1-2.1.mga8.x86_64
> 
> ---
> 
> generated a new ssh key using ssh-keygen
> 
> I am able to ssh to remove server.

Same tests. OK.

Validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2021-06-16 22:24:07 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0261.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED