CVEs have been requested for two security issues fixed in OpenSSH 7.0: http://openwall.com/lists/oss-security/2015/08/11/9 There has been no response yet as far as CVE assignments. Fedora has issued an advisory for this on August 14: https://lists.fedoraproject.org/pipermail/package-announce/2015-August/164224.html The relevant RedHat bugs are here: https://bugzilla.redhat.com/show_bug.cgi?id=1252844 https://bugzilla.redhat.com/show_bug.cgi?id=1252852 Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated openssh packages fix security vulnerabilities: Privilege seaparation weakness related to PAM support allowing the attacker to impersonate other users was found in openssh package. Attackers who could successfully compromise the pre-authentication process for remote code execution and who had valid credentials on the host could impersonate other users (rhbz#1252844). Use-after-free bug was found in openssh package. The vulnerability is exploitable by attackers who could compromise the pre-authentication process for remote code execution (rhbz#1252852). References: http://openwall.com/lists/oss-security/2015/08/11/9 https://lists.fedoraproject.org/pipermail/package-announce/2015-August/164224.html ======================== Updated packages in core/updates_testing: ======================== openssh-6.2p2-3.5.mga4 openssh-clients-6.2p2-3.5.mga4 openssh-server-6.2p2-3.5.mga4 openssh-askpass-common-6.2p2-3.5.mga4 openssh-askpass-6.2p2-3.5.mga4 openssh-askpass-gnome-6.2p2-3.5.mga4 openssh-ldap-6.2p2-3.5.mga4 openssh-6.6p1-5.5.mga5 openssh-clients-6.6p1-5.5.mga5 openssh-server-6.6p1-5.5.mga5 openssh-askpass-common-6.6p1-5.5.mga5 openssh-askpass-6.6p1-5.5.mga5 openssh-askpass-gnome-6.6p1-5.5.mga5 openssh-ldap-6.6p1-5.5.mga5 from SRPMS: openssh-6.2p2-3.5.mga4.src.rpm openssh-6.6p1-5.5.mga5.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
I just fixed this regression in the CVE-2015-5600 OpenSSH update for Mageia 4: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1485719 Apparently it doesn't affect 6.5p1 and newer (so Mageia 5 is fine). Updated packages in core/updates_testing: ======================== openssh-6.2p2-3.6.mga4 openssh-clients-6.2p2-3.6.mga4 openssh-server-6.2p2-3.6.mga4 openssh-askpass-common-6.2p2-3.6.mga4 openssh-askpass-6.2p2-3.6.mga4 openssh-askpass-gnome-6.2p2-3.6.mga4 openssh-ldap-6.2p2-3.6.mga4 from openssh-6.2p2-3.6.mga4.src.rpm
Could connect to a server using the updated packages, and after restarting the server on my computer, connect to it from another computer. Mageia 4 64.
Whiteboard: MGA4TOO => MGA4TOO MGA4-64-OK
(In reply to Samuel VERSCHELDE from comment #2) > Could connect to a server using the updated packages, and after restarting > the server on my computer, connect to it from another computer. > > Mageia 4 64. Oops, that was with 5.mga4 and not 6.mga4. Will wait for my mirror to sync.
Whiteboard: MGA4TOO MGA4-64-OK => MGA4TOO
In VirtualBox, M4, KDE, 32-bit Package(s) under test: openssh openssh-clients openssh-server default install of openssh openssh-clients & openssh-server [root@localhost wilcal]# urpmi openssh Package openssh-6.2p2-3.4.mga4.i586 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.2p2-3.4.mga4.i586 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.2p2-3.4.mga4.i586 is already installed Putty can connect to localhost Putty can connect to an external ssh server on the LAN Putty on another M5 system on the LAN can connect back to the Vbox client under test "ssh-keygen -t rsa" command generates a public and private key In user terminal on another M5 system on the LAN: [wilcal@localhost ~]$ ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` wilcal@192.168.1.140 Warning: Permanently added '192.168.1.140' (RSA) to the list of known hosts. 2nd time: [wilcal@localhost ~]$ ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` wilcal@192.168.1.140 Password: Last login: Fri Aug 21 07:03:34 2015 from unknownfcaa149b0480.attlocal.net install openssh openssh-clients & openssh-server from updates_testing [root@localhost wilcal]# urpmi openssh Package openssh-6.2p2-3.6.mga4.i586 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.2p2-3.6.mga4.i586 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.2p2-3.6.mga4.i586 is already installed In user terminal on another M5 system on the LAN: ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000' wilcal@192.168.1.140 Putty can connect to localhost Putty can connect to an external ssh server on the LAN Putty on another M5 system on the LAN can connect back to the Vbox client under test "ssh-keygen -t rsa" command generates a public and private key In user terminal on another M5 system on the LAN: [wilcal@localhost ~]$ ssh wilcal@192.168.1.140 Password: xxx logs in just fine
CC: (none) => wilcal.int
In VirtualBox, M4, KDE, 64-bit Package(s) under test: openssh openssh-clients openssh-server default install of openssh openssh-clients & openssh-server [root@localhost wilcal]# urpmi openssh Package openssh-6.2p2-3.4.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.2p2-3.4.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.2p2-3.4.mga4.x86_64 is already installed Putty can connect to localhost Putty can connect to an external ssh server on the LAN Putty on another M5 system on the LAN can connect back to the Vbox client under test "ssh-keygen -t rsa" command generates a public and private key In user terminal on another M5 system on the LAN: [wilcal@localhost ~]$ ssh wilcal@192.168.1.142 wilcal@192.168.1.142's password: Last login: Fri Aug 21 07:30:21 2015 from unknownfcaa149b0480.attlocal.net install openssh openssh-clients & openssh-server from updates_testing [root@localhost wilcal]# urpmi openssh Package openssh-6.2p2-3.6.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.2p2-3.6.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.2p2-3.6.mga4.x86_64 is already installed Putty can connect to localhost Putty can connect to an external ssh server on the LAN Putty on another M5 system on the LAN can connect back to the Vbox client under test "ssh-keygen -t rsa" command generates a public and private key In user terminal on another M5 system on the LAN: [wilcal@localhost ~]$ ssh wilcal@192.168.1.142 Password: Last login: Fri Aug 21 07:39:32 2015 from unknownfcaa149b0480.attlocal.net
Whiteboard: MGA4TOO => MGA4TOO MGA4-32-OK MGA4-64-OK
In VirtualBox, M5, KDE, 32-bit Package(s) under test: openssh openssh-clients openssh-server default install of openssh openssh-clients & openssh-server [root@localhost wilcal]# urpmi openssh Package openssh-6.6p1-5.3.mga5.i586 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.6p1-5.3.mga5.i586 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.6p1-5.3.mga5.i586 is already installed Putty can connect to localhost Putty can connect to an external ssh server on the LAN Putty on another M5 system on the LAN can connect back to the Vbox client under test "ssh-keygen -t rsa" command generates a public and private key In user terminal on another M5 system on the LAN: [wilcal@localhost ~]$ ssh wilcal@192.168.1.143 Password: Last login: Fri Aug 21 07:53:14 2015 from unknownfcaa149b0480.attlocal.net works install openssh openssh-clients & openssh-server from updates_testing [root@localhost wilcal]# urpmi openssh Package openssh-6.6p1-5.5.mga5.i586 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.6p1-5.5.mga5.i586 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.6p1-5.5.mga5.i586 is already installed Putty can connect to localhost Putty can connect to an external ssh server on the LAN Putty on another M5 system on the LAN can connect back to the Vbox client under test "ssh-keygen -t rsa" command generates a public and private key In user terminal on another M5 system on the LAN: [wilcal@localhost ~]$ ssh wilcal@192.168.1.143 Password: Last login: Fri Aug 21 07:39:32 2015 from unknownfcaa149b0480.attlocal.net works
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: openssh openssh-clients openssh-server default install of openssh openssh-clients & openssh-server [root@localhost wilcal]# urpmi openssh Package openssh-6.6p1-5.3.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.6p1-5.3.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.6p1-5.3.mga5.x86_64 is already installed Putty can connect to localhost Putty can connect to an external ssh server on the LAN Putty on another M5 system on the LAN can connect back to the Vbox client under test "ssh-keygen -t rsa" command generates a public and private key In user terminal on another M5 system on the LAN: [wilcal@localhost ~]$ ssh wilcal@192.168.1.141 Password: xxx Last login: Fri Aug 21 08:11:48 2015 from unknownfcaa149b0480.attlocal.net works install openssh openssh-clients & openssh-server from updates_testing [root@localhost wilcal]# urpmi openssh Package openssh-6.6p1-5.5.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-clients Package openssh-clients-6.6p1-5.5.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi openssh-server Package openssh-server-6.6p1-5.5.mga5.x86_64 is already installed Putty can connect to localhost Putty can connect to an external ssh server on the LAN Putty on another M5 system on the LAN can connect back to the Vbox client under test "ssh-keygen -t rsa" command generates a public and private key In user terminal on another M5 system on the LAN: [wilcal@localhost ~]$ ssh wilcal@192.168.1.141 Password: xxx Last login: Fri Aug 21 08:18:17 2015 from unknownfcaa149b0480.attlocal.net works
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK
This looks good to go David. What you say?
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK advisory
Yep, ship it.
Validating then.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0321.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVEs have finally been assigned: http://openwall.com/lists/oss-security/2015/08/22/1 Can someone update the advisory in SVN? Advisory: ======================== Updated openssh packages fix security vulnerabilities: Privilege seaparation weakness related to PAM support allowing the attacker to impersonate other users was found in openssh package. Attackers who could successfully compromise the pre-authentication process for remote code execution and who had valid credentials on the host could impersonate other users (CVE-2015-6563). Use-after-free bug was found in openssh package. The vulnerability is exploitable by attackers who could compromise the pre-authentication process for remote code execution (CVE-2015-6564). References: http://openwall.com/lists/oss-security/2015/08/22/1 https://lists.fedoraproject.org/pipermail/package-announce/2015-August/164224.html
Summary: openssh new security issues fixed upstream in 7.0 => openssh new security issues fixed upstream in 7.0 (CVE-2015-6563 and CVE-2015-6564)