A CVE has been assigned for a security issue fixed in OpenSSH 6.9p1: http://openwall.com/lists/oss-security/2015/07/01/10 A link to the upstream commit to fix the issue is in the message above. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated openssh packages fix security vulnerability: In Portable OpenSSH before 6.9p1, when forwarding X11 connections with ForwardX11Trusted=no, connections made after ForwardX11Timeout expired could be permitted and no longer subject to XSECURITY restrictions because of an ineffective timeout check in ssh (CVE-2015-5352). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5352 http://openwall.com/lists/oss-security/2015/07/01/10 ======================== Updated packages in core/updates_testing: ======================== openssh-6.2p2-3.3.mga4 openssh-clients-6.2p2-3.3.mga4 openssh-server-6.2p2-3.3.mga4 openssh-askpass-common-6.2p2-3.3.mga4 openssh-askpass-6.2p2-3.3.mga4 openssh-askpass-gnome-6.2p2-3.3.mga4 openssh-ldap-6.2p2-3.3.mga4 openssh-6.6p1-5.1.mga5 openssh-clients-6.6p1-5.1.mga5 openssh-server-6.6p1-5.1.mga5 openssh-askpass-common-6.6p1-5.1.mga5 openssh-askpass-6.6p1-5.1.mga5 openssh-askpass-gnome-6.6p1-5.1.mga5 openssh-ldap-6.6p1-5.1.mga5 from SRPMS: openssh-6.2p2-3.3.mga4.src.rpm openssh-6.6p1-5.1.mga5.src.rpm
Version: Cauldron => 5Assignee: guillomovitch => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Advisory committed to svn.
CC: (none) => davidwhodginsWhiteboard: MGA4TOO => MGA4TOO advisory
URL: (none) => http://lwn.net/Vulnerabilities/650293/
In VirtualBox, M4, KDE, 32-bit Package(s) under test: openssh openssh-clients openssh-server default install of openssh openssh-clients & openssh-server [root@localhost wilcal]# urpmi openssh Package openssh-6.2p2-3.2.mga4.i586 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.2p2-3.2.mga4.i586 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.2p2-3.2.mga4.i586 is already installed Putty can connect to an external ssh server Putty on another M5 system can connect to Vbox client under test "ssh-keygen -t rsa" command generates a public and private key install openssh openssh-clients & openssh-server from updates_testing [root@localhost wilcal]# urpmi openssh Package openssh-6.2p2-3.3.mga4.i586 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.2p2-3.3.mga4.i586 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.2p2-3.3.mga4.i586 is already installed Putty can connect to an external ssh server Putty on another M5 system can connect to Vbox client under test "ssh-keygen -t rsa" command generates a public and private key Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M4, KDE, 64-bit Package(s) under test: openssh openssh-clients openssh-server openssh-askpass default install of openssh openssh-clients openssh-server & openssh-askpass [root@localhost wilcal]# urpmi openssh Package openssh-6.2p2-3.2.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.2p2-3.2.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.2p2-3.2.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-askpass Package openssh-askpass-6.2p2-3.2.mga4.x86_64 is already installed Putty can connect to an external ssh server Putty on another M5 system can connect to Vbox client under test "ssh-keygen -t rsa" command generates a public and private key install openssh openssh-clients & openssh-server from updates_testing [root@localhost wilcal]# urpmi openssh Package openssh-6.2p2-3.3.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.2p2-3.3.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.2p2-3.3.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-askpass Package openssh-askpass-6.2p2-3.3.mga4.x86_64 is already installed Putty can connect to an external ssh server Putty on another M5 system can connect to Vbox client under test "ssh-keygen -t rsa" command generates a public and private key Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
In VirtualBox, M5, KDE, 32-bit Package(s) under test: openssh openssh-clients openssh-server openssh-askpass default install of openssh openssh-clients openssh-server & openssh-askpass [root@localhost wilcal]# urpmi openssh Package openssh-6.6p1-5.mga5.i586 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.6p1-5.mga5.i586 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.6p1-5.mga5.i586 is already installed [root@localhost wilcal]# urpmi openssh-askpass Package openssh-askpass-6.6p1-5.mga5.i586 is already installed Putty can connect to an external ssh server Putty on another M5 system can connect to Vbox client under test "ssh-keygen -t rsa" command generates a public and private key install openssh openssh-clients openssh-server & openssh-askpass from updates_testing [root@localhost wilcal]# urpmi openssh Package openssh-6.6p1-5.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.6p1-5.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.6p1-5.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi openssh-askpass Package openssh-askpass-6.6p1-5.1.mga5.i586 is already installed Putty can connect to an external ssh server Putty on another M5 system can connect to Vbox client under test "ssh-keygen -t rsa" command generates a public and private key Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
In VirtualBox, M5, KDE, 64-bit Package(s) under test: openssh openssh-clients openssh-server openssh-askpass default install of openssh openssh-clients openssh-server & openssh-askpass [root@localhost wilcal]# urpmi openssh Package openssh-6.6p1-5.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.6p1-5.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.6p1-5.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-askpass Package openssh-askpass-6.6p1-5.mga5.x86_64 is already installed Putty can connect to an external ssh server Putty on another M5 system can connect to Vbox client under test "ssh-keygen -t rsa" command generates a public and private key install openssh openssh-clients openssh-server & openssh-askpass from updates_testing [root@localhost wilcal]# urpmi openssh Package openssh-6.6p1-5.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.6p1-5.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.6p1-5.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-askpass Package openssh-askpass-6.6p1-5.1.mga5.x86_64 is already installed Putty can connect to an external ssh server Putty on another M5 system can connect to Vbox client under test "ssh-keygen -t rsa" command generates a public and private key Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
Looks good. What you say David(s)?
(In reply to William Kenney from comment #7) > Looks good. What you say David(s)? It wasn't clear from your testing reports if you were SSH'ing *to* the machine running the openssh-server you were testing (using PuTTY or otherwise). If you were, then yes it sounds OK. I just checked and the setting mentioned in the advisory is not the default, and the comments there say changing it is unlikely to work correctly in most cases, so this issue probably doesn't actually affect anybody anyway :o)
(In reply to David Walser from comment #8) > It wasn't clear from your testing reports if you were SSH'ing *to* the > machine running the openssh-server you were testing (using PuTTY or > otherwise). If you were, then yes it sounds OK. Two completely different machines on the LAN. One a Vbox client under test that talks SSH to a real machine on the LAN. Then Visa Versa.
Whiteboard: MGA4TOO advisory => MGA4TOO advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK
This update works fine. Testing complete for mga4/5 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push #####.adv to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0271.html
Status: NEW => RESOLVEDResolution: (none) => FIXED