Bug 16266 - openssh new security issue CVE-2015-5352
Summary: openssh new security issue CVE-2015-5352
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/650293/
Whiteboard: MGA4TOO advisory MGA4-32-OK MGA4-64-O...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-07-01 19:47 CEST by David Walser
Modified: 2015-07-09 10:10 CEST (History)
3 users (show)

See Also:
Source RPM: openssh-6.8p1-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-07-01 19:47:22 CEST
A CVE has been assigned for a security issue fixed in OpenSSH 6.9p1:
http://openwall.com/lists/oss-security/2015/07/01/10

A link to the upstream commit to fix the issue is in the message above.

Reproducible: 

Steps to Reproduce:
David Walser 2015-07-01 19:47:28 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-07-04 22:54:18 CEST
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated openssh packages fix security vulnerability:

In Portable OpenSSH before 6.9p1, when forwarding X11 connections with
ForwardX11Trusted=no, connections made after ForwardX11Timeout expired could
be permitted and no longer subject to XSECURITY restrictions because of an
ineffective timeout check in ssh (CVE-2015-5352).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5352
http://openwall.com/lists/oss-security/2015/07/01/10
========================

Updated packages in core/updates_testing:
========================
openssh-6.2p2-3.3.mga4
openssh-clients-6.2p2-3.3.mga4
openssh-server-6.2p2-3.3.mga4
openssh-askpass-common-6.2p2-3.3.mga4
openssh-askpass-6.2p2-3.3.mga4
openssh-askpass-gnome-6.2p2-3.3.mga4
openssh-ldap-6.2p2-3.3.mga4
openssh-6.6p1-5.1.mga5
openssh-clients-6.6p1-5.1.mga5
openssh-server-6.6p1-5.1.mga5
openssh-askpass-common-6.6p1-5.1.mga5
openssh-askpass-6.6p1-5.1.mga5
openssh-askpass-gnome-6.6p1-5.1.mga5
openssh-ldap-6.6p1-5.1.mga5

from SRPMS:
openssh-6.2p2-3.3.mga4.src.rpm
openssh-6.6p1-5.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: guillomovitch => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 2 Dave Hodgins 2015-07-05 00:25:10 CEST
Advisory committed to svn.

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO => MGA4TOO advisory

David Walser 2015-07-06 20:23:00 CEST

URL: (none) => http://lwn.net/Vulnerabilities/650293/

Comment 3 William Kenney 2015-07-08 19:28:10 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
openssh openssh-clients openssh-server

default install of openssh openssh-clients & openssh-server

[root@localhost wilcal]# urpmi openssh
Package openssh-6.2p2-3.2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.2p2-3.2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.2p2-3.2.mga4.i586 is already installed

Putty can connect to an external ssh server
Putty on another M5 system can connect to Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

install openssh openssh-clients & openssh-server from updates_testing

[root@localhost wilcal]# urpmi openssh
Package openssh-6.2p2-3.3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.2p2-3.3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.2p2-3.3.mga4.i586 is already installed

Putty can connect to an external ssh server
Putty on another M5 system can connect to Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64

CC: (none) => wilcal.int

Comment 4 William Kenney 2015-07-08 20:35:12 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
openssh openssh-clients openssh-server openssh-askpass

default install of openssh openssh-clients openssh-server & openssh-askpass

[root@localhost wilcal]# urpmi openssh
Package openssh-6.2p2-3.2.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.2p2-3.2.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.2p2-3.2.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-askpass
Package openssh-askpass-6.2p2-3.2.mga4.x86_64 is already installed

Putty can connect to an external ssh server
Putty on another M5 system can connect to Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

install openssh openssh-clients & openssh-server from updates_testing

[root@localhost wilcal]# urpmi openssh
Package openssh-6.2p2-3.3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.2p2-3.3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.2p2-3.3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-askpass
Package openssh-askpass-6.2p2-3.3.mga4.x86_64 is already installed

Putty can connect to an external ssh server
Putty on another M5 system can connect to Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64
Comment 5 William Kenney 2015-07-08 22:31:07 CEST
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
openssh openssh-clients openssh-server openssh-askpass

default install of openssh openssh-clients openssh-server & openssh-askpass

[root@localhost wilcal]# urpmi openssh
Package openssh-6.6p1-5.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.6p1-5.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.6p1-5.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-askpass
Package openssh-askpass-6.6p1-5.mga5.i586 is already installed

Putty can connect to an external ssh server
Putty on another M5 system can connect to Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

install openssh openssh-clients openssh-server & openssh-askpass
from updates_testing

[root@localhost wilcal]# urpmi openssh
Package openssh-6.6p1-5.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.6p1-5.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.6p1-5.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-askpass
Package openssh-askpass-6.6p1-5.1.mga5.i586 is already installed

Putty can connect to an external ssh server
Putty on another M5 system can connect to Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64
Comment 6 William Kenney 2015-07-08 22:46:16 CEST
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
openssh openssh-clients openssh-server openssh-askpass

default install of openssh openssh-clients openssh-server & openssh-askpass

[root@localhost wilcal]# urpmi openssh
Package openssh-6.6p1-5.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.6p1-5.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.6p1-5.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-askpass
Package openssh-askpass-6.6p1-5.mga5.x86_64 is already installed

Putty can connect to an external ssh server
Putty on another M5 system can connect to Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

install openssh openssh-clients openssh-server & openssh-askpass
from updates_testing

[root@localhost wilcal]# urpmi openssh
Package openssh-6.6p1-5.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.6p1-5.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.6p1-5.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-askpass
Package openssh-askpass-6.6p1-5.1.mga5.x86_64 is already installed

Putty can connect to an external ssh server
Putty on another M5 system can connect to Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64
Comment 7 William Kenney 2015-07-08 22:46:53 CEST
Looks good. What you say David(s)?
Comment 8 David Walser 2015-07-08 22:50:37 CEST
(In reply to William Kenney from comment #7)
> Looks good. What you say David(s)?

It wasn't clear from your testing reports if you were SSH'ing *to* the machine running the openssh-server you were testing (using PuTTY or otherwise).  If you were, then yes it sounds OK.

I just checked and the setting mentioned in the advisory is not the default, and the comments there say changing it is unlikely to work correctly in most cases, so this issue probably doesn't actually affect anybody anyway :o)
Comment 9 William Kenney 2015-07-09 00:46:35 CEST
(In reply to David Walser from comment #8)

> It wasn't clear from your testing reports if you were SSH'ing *to* the
> machine running the openssh-server you were testing (using PuTTY or
> otherwise).  If you were, then yes it sounds OK.

Two completely different machines on the LAN. One a Vbox client under test that talks SSH to a real machine on the LAN. Then Visa Versa.
William Kenney 2015-07-09 00:48:23 CEST

Whiteboard: MGA4TOO advisory => MGA4TOO advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK

Comment 10 William Kenney 2015-07-09 00:49:16 CEST
This update works fine.
Testing complete for mga4/5 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push #####.adv to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2015-07-09 10:10:00 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0271.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.