Bug 16617 - openssh new security issues fixed upstream in 7.0 (CVE-2015-6563 and CVE-2015-6564)
Summary: openssh new security issues fixed upstream in 7.0 (CVE-2015-6563 and CVE-2015...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/655002/
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-08-20 00:51 CEST by David Walser
Modified: 2015-08-24 13:45 CEST (History)
2 users (show)

See Also:
Source RPM: openssh-6.6p1-5.3.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-08-20 00:51:03 CEST
CVEs have been requested for two security issues fixed in OpenSSH 7.0:
http://openwall.com/lists/oss-security/2015/08/11/9

There has been no response yet as far as CVE assignments.

Fedora has issued an advisory for this on August 14:
https://lists.fedoraproject.org/pipermail/package-announce/2015-August/164224.html

The relevant RedHat bugs are here:
https://bugzilla.redhat.com/show_bug.cgi?id=1252844
https://bugzilla.redhat.com/show_bug.cgi?id=1252852

Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated openssh packages fix security vulnerabilities:

Privilege seaparation weakness related to PAM support allowing the attacker to
impersonate other users was found in openssh package. Attackers who could
successfully compromise the pre-authentication process for remote code
execution and who had valid credentials on the host could impersonate other
users (rhbz#1252844).

Use-after-free bug was found in openssh package. The vulnerability is
exploitable by attackers who could compromise the pre-authentication process
for remote code execution (rhbz#1252852).

References:
http://openwall.com/lists/oss-security/2015/08/11/9
https://lists.fedoraproject.org/pipermail/package-announce/2015-August/164224.html
========================

Updated packages in core/updates_testing:
========================
openssh-6.2p2-3.5.mga4
openssh-clients-6.2p2-3.5.mga4
openssh-server-6.2p2-3.5.mga4
openssh-askpass-common-6.2p2-3.5.mga4
openssh-askpass-6.2p2-3.5.mga4
openssh-askpass-gnome-6.2p2-3.5.mga4
openssh-ldap-6.2p2-3.5.mga4
openssh-6.6p1-5.5.mga5
openssh-clients-6.6p1-5.5.mga5
openssh-server-6.6p1-5.5.mga5
openssh-askpass-common-6.6p1-5.5.mga5
openssh-askpass-6.6p1-5.5.mga5
openssh-askpass-gnome-6.6p1-5.5.mga5
openssh-ldap-6.6p1-5.5.mga5

from SRPMS:
openssh-6.2p2-3.5.mga4.src.rpm
openssh-6.6p1-5.5.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2015-08-20 00:51:09 CEST

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-08-21 00:31:24 CEST
I just fixed this regression in the CVE-2015-5600 OpenSSH update for Mageia 4:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1485719

Apparently it doesn't affect 6.5p1 and newer (so Mageia 5 is fine).

Updated packages in core/updates_testing:
========================
openssh-6.2p2-3.6.mga4
openssh-clients-6.2p2-3.6.mga4
openssh-server-6.2p2-3.6.mga4
openssh-askpass-common-6.2p2-3.6.mga4
openssh-askpass-6.2p2-3.6.mga4
openssh-askpass-gnome-6.2p2-3.6.mga4
openssh-ldap-6.2p2-3.6.mga4

from openssh-6.2p2-3.6.mga4.src.rpm
Comment 2 Samuel Verschelde 2015-08-21 10:15:25 CEST
Could connect to a server using the updated packages, and after restarting the server on my computer, connect to it from another computer.

Mageia 4 64.

Whiteboard: MGA4TOO => MGA4TOO MGA4-64-OK

Comment 3 Samuel Verschelde 2015-08-21 10:18:09 CEST
(In reply to Samuel VERSCHELDE from comment #2)
> Could connect to a server using the updated packages, and after restarting
> the server on my computer, connect to it from another computer.
> 
> Mageia 4 64.

Oops, that was with 5.mga4 and not 6.mga4. Will wait for my mirror to sync.

Whiteboard: MGA4TOO MGA4-64-OK => MGA4TOO

Comment 4 William Kenney 2015-08-21 16:42:14 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
openssh openssh-clients openssh-server

default install of openssh openssh-clients & openssh-server

[root@localhost wilcal]# urpmi openssh
Package openssh-6.2p2-3.4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.2p2-3.4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.2p2-3.4.mga4.i586 is already installed

Putty can connect to localhost
Putty can connect to an external ssh server on the LAN
Putty on another M5 system on the LAN can connect back to the Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key
In user terminal on another M5 system on the LAN:
[wilcal@localhost ~]$ ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` wilcal@192.168.1.140
Warning: Permanently added '192.168.1.140' (RSA) to the list of known hosts.
2nd time:
[wilcal@localhost ~]$ ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` wilcal@192.168.1.140
Password: 
Last login: Fri Aug 21 07:03:34 2015 from unknownfcaa149b0480.attlocal.net


install openssh openssh-clients & openssh-server from updates_testing

[root@localhost wilcal]# urpmi openssh
Package openssh-6.2p2-3.6.mga4.i586 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.2p2-3.6.mga4.i586 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.2p2-3.6.mga4.i586 is already installed
In user terminal on another M5 system on the LAN:
ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000' wilcal@192.168.1.140

Putty can connect to localhost
Putty can connect to an external ssh server on the LAN
Putty on another M5 system on the LAN can connect back to the Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key
In user terminal on another M5 system on the LAN:
[wilcal@localhost ~]$ ssh wilcal@192.168.1.140
Password: xxx
logs in just fine

CC: (none) => wilcal.int

Comment 5 William Kenney 2015-08-21 16:42:32 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
openssh openssh-clients openssh-server

default install of openssh openssh-clients & openssh-server

[root@localhost wilcal]# urpmi openssh
Package openssh-6.2p2-3.4.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.2p2-3.4.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.2p2-3.4.mga4.x86_64 is already installed

Putty can connect to localhost
Putty can connect to an external ssh server on the LAN
Putty on another M5 system on the LAN can connect back to the Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key
In user terminal on another M5 system on the LAN:
[wilcal@localhost ~]$ ssh wilcal@192.168.1.142
wilcal@192.168.1.142's password: 
Last login: Fri Aug 21 07:30:21 2015 from unknownfcaa149b0480.attlocal.net

install openssh openssh-clients & openssh-server from updates_testing

[root@localhost wilcal]# urpmi openssh
Package openssh-6.2p2-3.6.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.2p2-3.6.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.2p2-3.6.mga4.x86_64 is already installed

Putty can connect to localhost
Putty can connect to an external ssh server on the LAN
Putty on another M5 system on the LAN can connect back to the Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key
In user terminal on another M5 system on the LAN:
[wilcal@localhost ~]$ ssh wilcal@192.168.1.142
Password: 
Last login: Fri Aug 21 07:39:32 2015 from unknownfcaa149b0480.attlocal.net
William Kenney 2015-08-21 16:42:49 CEST

Whiteboard: MGA4TOO => MGA4TOO MGA4-32-OK MGA4-64-OK

Comment 6 William Kenney 2015-08-21 17:02:12 CEST
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
openssh openssh-clients openssh-server

default install of openssh openssh-clients & openssh-server

[root@localhost wilcal]# urpmi openssh
Package openssh-6.6p1-5.3.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.6p1-5.3.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.6p1-5.3.mga5.i586 is already installed

Putty can connect to localhost
Putty can connect to an external ssh server on the LAN
Putty on another M5 system on the LAN can connect back to the Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key
In user terminal on another M5 system on the LAN:
[wilcal@localhost ~]$ ssh wilcal@192.168.1.143
Password: 
Last login: Fri Aug 21 07:53:14 2015 from unknownfcaa149b0480.attlocal.net
works

install openssh openssh-clients & openssh-server from updates_testing

[root@localhost wilcal]# urpmi openssh
Package openssh-6.6p1-5.5.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.6p1-5.5.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.6p1-5.5.mga5.i586 is already installed

Putty can connect to localhost
Putty can connect to an external ssh server on the LAN
Putty on another M5 system on the LAN can connect back to the Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key
In user terminal on another M5 system on the LAN:
[wilcal@localhost ~]$ ssh wilcal@192.168.1.143
Password: 
Last login: Fri Aug 21 07:39:32 2015 from unknownfcaa149b0480.attlocal.net
works

Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK

Comment 7 William Kenney 2015-08-21 17:21:29 CEST
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
openssh openssh-clients openssh-server

default install of openssh openssh-clients & openssh-server

[root@localhost wilcal]# urpmi openssh
Package openssh-6.6p1-5.3.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.6p1-5.3.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.6p1-5.3.mga5.x86_64 is already installed

Putty can connect to localhost
Putty can connect to an external ssh server on the LAN
Putty on another M5 system on the LAN can connect back to the Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key
In user terminal on another M5 system on the LAN:
[wilcal@localhost ~]$ ssh wilcal@192.168.1.141
Password: xxx
Last login: Fri Aug 21 08:11:48 2015 from unknownfcaa149b0480.attlocal.net
works

install openssh openssh-clients & openssh-server from updates_testing

[root@localhost wilcal]# urpmi openssh
Package openssh-6.6p1-5.5.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.6p1-5.5.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.6p1-5.5.mga5.x86_64 is already installed

Putty can connect to localhost
Putty can connect to an external ssh server on the LAN
Putty on another M5 system on the LAN can connect back to the Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key
In user terminal on another M5 system on the LAN:
[wilcal@localhost ~]$ ssh wilcal@192.168.1.141
Password: xxx
Last login: Fri Aug 21 08:18:17 2015 from unknownfcaa149b0480.attlocal.net
works
William Kenney 2015-08-21 17:21:47 CEST

Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK

Comment 8 William Kenney 2015-08-21 17:23:33 CEST
This looks good to go David. What you say?
Rémi Verschelde 2015-08-21 17:29:07 CEST

Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK advisory

Comment 9 David Walser 2015-08-21 18:32:51 CEST
Yep, ship it.
Comment 10 Rémi Verschelde 2015-08-21 20:22:08 CEST
Validating then.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2015-08-21 20:56:18 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0321.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 12 David Walser 2015-08-24 13:45:55 CEST
CVEs have finally been assigned:
http://openwall.com/lists/oss-security/2015/08/22/1

Can someone update the advisory in SVN?

Advisory:
========================

Updated openssh packages fix security vulnerabilities:

Privilege seaparation weakness related to PAM support allowing the attacker to
impersonate other users was found in openssh package. Attackers who could
successfully compromise the pre-authentication process for remote code
execution and who had valid credentials on the host could impersonate other
users (CVE-2015-6563).

Use-after-free bug was found in openssh package. The vulnerability is
exploitable by attackers who could compromise the pre-authentication process
for remote code execution (CVE-2015-6564).

References:
http://openwall.com/lists/oss-security/2015/08/22/1
https://lists.fedoraproject.org/pipermail/package-announce/2015-August/164224.html

Summary: openssh new security issues fixed upstream in 7.0 => openssh new security issues fixed upstream in 7.0 (CVE-2015-6563 and CVE-2015-6564)


Note You need to log in before you can comment on or make changes to this bug.