Bug 13164 - openssh new security issue CVE-2014-2653
: openssh new security issue CVE-2014-2653
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/593604/
: MGA3TOO has_procedure advisory mga3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-04-07 23:27 CEST by David Walser
Modified: 2014-04-09 16:19 CEST (History)
3 users (show)

See Also:
Source RPM: openssh-6.2p2-3.1.mga4.src.rpm
CVE:


Attachments

Description David Walser 2014-04-07 23:27:06 CEST
Debian has issued an advisory on April 5:
https://www.debian.org/security/2014/dsa-2894

Patched packages uploaded for Mageia 3 and Mageia 4.

Cauldron is not affected, as it was fixed upstream in 6.6p1.

Advisory:
========================

Updated openssh packages fix security vulnerability:

Matthew Vernon reported that if a SSH server offers a HostCertificate that
the ssh client doesn't accept, then the client doesn't check the DNS for
SSHFP records. As a consequence a malicious server can disable SSHFP-checking
by presenting a certificate (CVE-2014-2653).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653
https://www.debian.org/security/2014/dsa-2894
========================

Updated packages in core/updates_testing:
========================
openssh-6.1p1-4.3.mga3
openssh-clients-6.1p1-4.3.mga3
openssh-server-6.1p1-4.3.mga3
openssh-askpass-common-6.1p1-4.3.mga3
openssh-askpass-6.1p1-4.3.mga3
openssh-askpass-gnome-6.1p1-4.3.mga3
openssh-ldap-6.1p1-4.3.mga3
openssh-6.2p2-3.2.mga4
openssh-clients-6.2p2-3.2.mga4
openssh-server-6.2p2-3.2.mga4
openssh-askpass-common-6.2p2-3.2.mga4
openssh-askpass-6.2p2-3.2.mga4
openssh-askpass-gnome-6.2p2-3.2.mga4
openssh-ldap-6.2p2-3.2.mga4

from SRPMS:
openssh-6.1p1-4.3.mga3.src.rpm
openssh-6.2p2-3.2.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2014-04-08 11:25:10 CEST
No PoC.

Testing complete mga4 32 & 64

Just used ssh to connect from one to the other and back again.
Comment 2 claire robinson 2014-04-08 12:18:35 CEST
Testing complete mga3 32 & 64
Comment 3 claire robinson 2014-04-08 12:21:56 CEST
Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 4 Damien Lallement 2014-04-08 14:50:20 CEST
http://advisories.mageia.org/MGASA-2014-0166.html
Comment 5 Colin Watson 2014-04-09 14:18:25 CEST
It's not correct that this bug was fixed upstream in 6.6p1.  We discovered it in Debian and (after consultation with upstream) pushed a fix together with our first upload of 6.6p1; but 6.6p1 itself doesn't contain the fix.  Therefore I believe Cauldron is in fact still vulnerable.
Comment 6 David Walser 2014-04-09 14:36:41 CEST
(In reply to Colin Watson from comment #5)
> It's not correct that this bug was fixed upstream in 6.6p1.  We discovered
> it in Debian and (after consultation with upstream) pushed a fix together
> with our first upload of 6.6p1; but 6.6p1 itself doesn't contain the fix. 
> Therefore I believe Cauldron is in fact still vulnerable.

Thanks for letting us know!  I'll grab the patch and apply it later today.
Comment 7 David Walser 2014-04-09 16:19:29 CEST
(In reply to David Walser from comment #6)
> (In reply to Colin Watson from comment #5)
> > It's not correct that this bug was fixed upstream in 6.6p1.  We discovered
> > it in Debian and (after consultation with upstream) pushed a fix together
> > with our first upload of 6.6p1; but 6.6p1 itself doesn't contain the fix. 
> > Therefore I believe Cauldron is in fact still vulnerable.
> 
> Thanks for letting us know!  I'll grab the patch and apply it later today.

Done.  Thanks again!

Note You need to log in before you can comment on or make changes to this bug.