Bug 33346

Summary: openssh new security issue CVE-2024-6387
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, dan, mageia, sysadmin-bugs, yvesbrungard
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: openssh-9.3p1-2.1.mga9.src.rpm CVE: CVE-2024-6387
Status comment:

Description Nicolas Salguero 2024-07-01 11:38:24 CEST 
Debian has released an advisory on July 1:
https://lists.debian.org/debian-security-announce/2024/msg00135.html

See also:
https://www.openwall.com/lists/oss-security/2024/07/01/3

The problem is fixed in version 9.8.

Mageia 9 is also affected.
Nicolas Salguero 2024-07-01 11:40:46 CEST

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => openssh-9.3p1-4.mga10.src.rpm
Status comment: (none) => Fixed upstream in 9.8 and patch available from upsteam and Debian
CVE: (none) => CVE-2024-6387

Comment 1 Nicolas Salguero 2024-07-01 14:43:52 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

regreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems. (CVE-2024-6387)

References:
https://lists.debian.org/debian-security-announce/2024/msg00135.html
https://www.openwall.com/lists/oss-security/2024/07/01/3
========================

Updated packages in core/updates_testing:
========================
openssh-9.3p1-2.2.mga9
openssh-askpass-common-9.3p1-2.2.mga9
openssh-askpass-gnome-9.3p1-2.2.mga9
openssh-clients-9.3p1-2.2.mga9
openssh-keycat-9.3p1-2.2.mga9
openssh-server-9.3p1-2.2.mga9

from SRPM:
openssh-9.3p1-2.2.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 9.8 and patch available from upsteam and Debian => (none)
Severity: normal => critical
Assignee: bugsquad => qa-bugs
Version: Cauldron => 9
Source RPM: openssh-9.3p1-4.mga10.src.rpm => openssh-9.3p1-2.1.mga9.src.rpm

katnatek 2024-07-01 21:42:29 CEST

Keywords: (none) => advisory

Comment 2 katnatek 2024-07-02 01:59:39 CEST 
RH mageia 9 x86_64

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing openssh-server-9.3p1-2.2.mga9.x86_64.rpm openssh-askpass-gnome-9.3p1-2.2.mga9.x86_64.rpm openssh-9.3p1-2.2.mga9.x86_64.rpm openssh-askpass-common-9.3p1-2.2.mga9.x86_64.rpm openssh-clients-9.3p1-2.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/5: openssh               ##################################################################################################
      2/5: openssh-clients       ##################################################################################################
      3/5: openssh-askpass-common
                                 ##################################################################################################
      4/5: openssh-askpass-gnome ##################################################################################################
      5/5: openssh-server        ##################################################################################################
      1/5: removing openssh-askpass-gnome-9.3p1-2.1.mga9.x86_64
                                 ##################################################################################################
      2/5: removing openssh-server-9.3p1-2.1.mga9.x86_64
                                 ##################################################################################################
      3/5: removing openssh-askpass-common-9.3p1-2.1.mga9.x86_64
                                 ##################################################################################################
      4/5: removing openssh-clients-9.3p1-2.1.mga9.x86_64
                                 ##################################################################################################
      5/5: removing openssh-9.3p1-2.1.mga9.x86_64
                                 ##################################################################################################

systemctl restart sshd.service 
[root@jgrey ~]# systemctl status sshd.service 
● sshd.service - OpenSSH server daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; preset: enabled)
     Active: active (running) since Mon 2024-07-01 16:26:44 CST; 8s ago
       Docs: man:sshd(8)
             man:sshd_config(5)
   Main PID: 278792 (sshd)
      Tasks: 1 (limit: 6904)
     Memory: 1.3M
        CPU: 36ms
     CGroup: /system.slice/sshd.service
             └─278792 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

jul 01 16:26:44 jgrey.phoenix systemd[1]: Starting sshd.service...
jul 01 16:26:44 jgrey.phoenix sshd[278792]: Server listening on 192.168.1.3 port 22.
jul 01 16:26:44 jgrey.phoenix systemd[1]: Started sshd.service.

Conect by sfto to my server and transfer a file OK
Conect to remote sever by ssh  OK
Comment 3 Dan Fandrich 2024-07-02 07:31:14 CEST 
I installed the packages on x86_64 and haven't found any problems, testing ssh, sftp, rsync, X11, local and remote port forwarding.

CC: (none) => dan

Comment 4 Marc Krämer 2024-07-02 14:00:24 CEST 
works, as expected. Since no simple test against the security issue is available we must consider it fixed.

Cauldron: shouldn't we push the newer version (9.8) to cauldron instead of the patch

CC: (none) => mageia

Marc Krämer 2024-07-02 14:02:31 CEST

Whiteboard: (none) => MGA9-64-OK

Comment 5 Nicolas Salguero 2024-07-02 14:16:14 CEST 
(In reply to Marc Krämer from comment #4)
> Cauldron: shouldn't we push the newer version (9.8) to cauldron instead of
> the patch

Yes, we should but, sadly, I am unable to do it.  If someone else wants to try to do it, I would be more than happy.
Comment 6 Marc Krämer 2024-07-02 14:36:06 CEST 
@Nico: why? what is the problem? maybe I can help? Should we switch to mail, for discussion?
Comment 7 Nicolas Salguero 2024-07-02 14:51:54 CEST 
(In reply to Marc Krämer from comment #6)
> @Nico: why? what is the problem? maybe I can help? Should we switch to mail,
> for discussion?

I lack knowledge about how openssh was historically packaged.  It seems we more or less follow how it is packaged into Fedora.  When I tried, some patches did not apply and I am unsure if those patches are needed or not.
Comment 8 Marc Krämer 2024-07-02 15:20:26 CEST 
I see. Had the same view on this. Guillaume has synced it with fedora. Did not remember he gave it up...
I guess we have to make decissions on the patches. I guess it would be a good idea to get more to vanilla and remove (old) patches we can't maintain, e.g. openssh-7.8p1-role-mls which adds selinux roles, not officially supported.

I'll have a look on this. It really is a bunch of patches....
Comment 9 Marc Krämer 2024-07-02 17:29:49 CEST 
Fixed, removed, deactivated some of the patches.
A build is running for cauldron.

Have to recheck some of the deactived ones. But at least it compiles.
Comment 10 papoteur 2024-07-02 18:14:47 CEST 
Installed in my RPI4-arm64
(In reply to Nicolas Salguero from comment #1)
> openssh-9.3p1-2.2.mga9
> openssh-clients-9.3p1-2.2.mga9
> openssh-server-9.3p1-2.2.mga9

Restarted sshd.service
Disconnected. Connection still works.
OK for my POV.

CC: (none) => yvesbrungard

Comment 11 Thomas Andrews 2024-07-03 14:07:33 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 12 Mageia Robot 2024-07-03 18:37:13 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0250.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED