Ubuntu has issued an advisory today (March 25):
The issue is fixed upstream in 6.6 (we have 6.6p1 in Cauldron).
Patched packages uploaded for Mageia 3 and Mageia 4.
Updated openssh packages fix security vulnerability:
sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv
lines in sshd_config, which allows remote attackers to bypass intended
environment restrictions by using a substring located before a wildcard
Updated packages in core/updates_testing:
Steps to Reproduce:
Testing complete mga3 & mga4 both 32 & 64
Used ssh from one to another and back again
Advisory uploaded. Validating.
Could sysadmin please push to 3 & 4 updates
The advisory page for this shows the wrong CVE number in two places (it shows a 2531). Can someone please fix this?