Ubuntu has issued an advisory today (March 25): http://www.ubuntu.com/usn/usn-2155-1/ The issue is fixed upstream in 6.6 (we have 6.6p1 in Cauldron). Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated openssh packages fix security vulnerability: sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character (CVE-2014-2532). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2532 http://www.ubuntu.com/usn/usn-2155-1/ ======================== Updated packages in core/updates_testing: ======================== openssh-6.1p1-4.2.mga3 openssh-clients-6.1p1-4.2.mga3 openssh-server-6.1p1-4.2.mga3 openssh-askpass-common-6.1p1-4.2.mga3 openssh-askpass-6.1p1-4.2.mga3 openssh-askpass-gnome-6.1p1-4.2.mga3 openssh-ldap-6.1p1-4.2.mga3 openssh-6.2p2-3.1.mga4 openssh-clients-6.2p2-3.1.mga4 openssh-server-6.2p2-3.1.mga4 openssh-askpass-common-6.2p2-3.1.mga4 openssh-askpass-6.2p2-3.1.mga4 openssh-askpass-gnome-6.2p2-3.1.mga4 openssh-ldap-6.2p2-3.1.mga4 from SRPMS: openssh-6.1p1-4.2.mga3.src.rpm openssh-6.2p2-3.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Testing complete mga3 & mga4 both 32 & 64 Used ssh from one to another and back again
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO advisory has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0143.html
Status: NEW => RESOLVEDCC: (none) => pterjanResolution: (none) => FIXED
The advisory page for this shows the wrong CVE number in two places (it shows a 2531). Can someone please fix this?
Done.
CC: (none) => mageia