Debian has issued an advisory on April 5: https://www.debian.org/security/2014/dsa-2894 Patched packages uploaded for Mageia 3 and Mageia 4. Cauldron is not affected, as it was fixed upstream in 6.6p1. Advisory: ======================== Updated openssh packages fix security vulnerability: Matthew Vernon reported that if a SSH server offers a HostCertificate that the ssh client doesn't accept, then the client doesn't check the DNS for SSHFP records. As a consequence a malicious server can disable SSHFP-checking by presenting a certificate (CVE-2014-2653). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653 https://www.debian.org/security/2014/dsa-2894 ======================== Updated packages in core/updates_testing: ======================== openssh-6.1p1-4.3.mga3 openssh-clients-6.1p1-4.3.mga3 openssh-server-6.1p1-4.3.mga3 openssh-askpass-common-6.1p1-4.3.mga3 openssh-askpass-6.1p1-4.3.mga3 openssh-askpass-gnome-6.1p1-4.3.mga3 openssh-ldap-6.1p1-4.3.mga3 openssh-6.2p2-3.2.mga4 openssh-clients-6.2p2-3.2.mga4 openssh-server-6.2p2-3.2.mga4 openssh-askpass-common-6.2p2-3.2.mga4 openssh-askpass-6.2p2-3.2.mga4 openssh-askpass-gnome-6.2p2-3.2.mga4 openssh-ldap-6.2p2-3.2.mga4 from SRPMS: openssh-6.1p1-4.3.mga3.src.rpm openssh-6.2p2-3.2.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
No PoC. Testing complete mga4 32 & 64 Just used ssh to connect from one to the other and back again.
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
Testing complete mga3 32 & 64
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0166.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED
It's not correct that this bug was fixed upstream in 6.6p1. We discovered it in Debian and (after consultation with upstream) pushed a fix together with our first upload of 6.6p1; but 6.6p1 itself doesn't contain the fix. Therefore I believe Cauldron is in fact still vulnerable.
CC: (none) => cjwatson
(In reply to Colin Watson from comment #5) > It's not correct that this bug was fixed upstream in 6.6p1. We discovered > it in Debian and (after consultation with upstream) pushed a fix together > with our first upload of 6.6p1; but 6.6p1 itself doesn't contain the fix. > Therefore I believe Cauldron is in fact still vulnerable. Thanks for letting us know! I'll grab the patch and apply it later today.
(In reply to David Walser from comment #6) > (In reply to Colin Watson from comment #5) > > It's not correct that this bug was fixed upstream in 6.6p1. We discovered > > it in Debian and (after consultation with upstream) pushed a fix together > > with our first upload of 6.6p1; but 6.6p1 itself doesn't contain the fix. > > Therefore I believe Cauldron is in fact still vulnerable. > > Thanks for letting us know! I'll grab the patch and apply it later today. Done. Thanks again!