13088 – openssh new security issue CVE-2014-2532

Bug 13088 - openssh new security issue CVE-2014-2532

Summary: openssh new security issue CVE-2014-2532

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/591895/
Whiteboard:	MGA3TOO advisory has_procedure mga3-3...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-03-25 20:03 CET by David Walser
Modified:	2014-04-08 01:40 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	openssh-6.1p1-4.mga3.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-03-25 20:03:53 CET

Ubuntu has issued an advisory today (March 25):
http://www.ubuntu.com/usn/usn-2155-1/

The issue is fixed upstream in 6.6 (we have 6.6p1 in Cauldron).

Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated openssh packages fix security vulnerability:

sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv
lines in sshd_config, which allows remote attackers to bypass intended
environment restrictions by using a substring located before a wildcard
character (CVE-2014-2532).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2532
http://www.ubuntu.com/usn/usn-2155-1/
========================

Updated packages in core/updates_testing:
========================
openssh-6.1p1-4.2.mga3
openssh-clients-6.1p1-4.2.mga3
openssh-server-6.1p1-4.2.mga3
openssh-askpass-common-6.1p1-4.2.mga3
openssh-askpass-6.1p1-4.2.mga3
openssh-askpass-gnome-6.1p1-4.2.mga3
openssh-ldap-6.1p1-4.2.mga3
openssh-6.2p2-3.1.mga4
openssh-clients-6.2p2-3.1.mga4
openssh-server-6.2p2-3.1.mga4
openssh-askpass-common-6.2p2-3.1.mga4
openssh-askpass-6.2p2-3.1.mga4
openssh-askpass-gnome-6.2p2-3.1.mga4
openssh-ldap-6.2p2-3.1.mga4

from SRPMS:
openssh-6.1p1-4.2.mga3.src.rpm
openssh-6.2p2-3.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:

David Walser 2014-03-25 20:03:59 CET

Whiteboard: (none) => MGA3TOO

Comment 1 claire robinson 2014-03-29 20:18:24 CET

Testing complete mga3 & mga4 both 32 & 64

Used ssh from one to another and back again

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 2 claire robinson 2014-03-29 20:21:54 CET

Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO advisory has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 3 Pascal Terjan 2014-03-31 21:38:50 CEST

http://advisories.mageia.org/MGASA-2014-0143.html

Status: NEW => RESOLVED
CC: (none) => pterjan
Resolution: (none) => FIXED

Comment 4 David Walser 2014-04-07 23:16:48 CEST

The advisory page for this shows the wrong CVE number in two places (it shows a 2531).  Can someone please fix this?

Comment 5 Damien Lallement 2014-04-08 01:40:05 CEST

Done.

CC: (none) => mageia

Note You need to log in before you can comment on or make changes to this bug.