Debian has issued an advisory on April 15: https://www.debian.org/security/2016/dsa-3550 Mageia 5 is also affected. UseLogin is also not enabled by default in Mageia.
Whiteboard: (none) => MGA5TOO
It's a simple patch: http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-7.2p2-CVE-2015-8325.patch?h=f23&id=669db415332fd00d30aef4fed70ddca12f39afbf
Fixed in openssh-7.2p2-2.mga6 in Cauldron by Guillaume.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Fedora patch checked into Mageia 5 SVN. This issue only affects a non-default and unlikely configuration, so no need to push an update for it at this time. The patch will be included in any future update.
Fedora has issued an advisory today (August 10): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/X2L6RW34VFNXYNVVN2CN73YAGJ5VMTFU/ It fixes CVE-2016-6515, a DoS issue related to running crypt on long passwords. LWN reference: http://lwn.net/Vulnerabilities/696931/ It was fixed upstream in 7.3 (which is in Cauldron). Patched package uploaded for Mageia 5. I've also included a patch that fixes CVE-2016-6210 and a related issue, although at least for CVE-2016-6210, Mageia systems wouldn't generally be affected as we use Blowfish by default. Advisory: ======================== Updated openssh packages fix security vulnerabilities: The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable (CVE-2015-8325). When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hard-coded in the SSHD source code. An attacker can measure timing information to determine if a user exists when verifying a password (CVE-2016-6210). The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string (CVE-2016-6515). Note that CVE-2015-8325 and CVE-2016-6210 wouldn't affect most Mageia systems, as UseLogin is not enabled by default and Mageia uses Blowfish password hashes by default. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8325 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6515 https://www.debian.org/security/2016/dsa-3550 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6210 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/X2L6RW34VFNXYNVVN2CN73YAGJ5VMTFU/ ======================== Updated packages in core/updates_testing: ======================== openssh-6.6p1-5.9.mga5 openssh-clients-6.6p1-5.9.mga5 openssh-server-6.6p1-5.9.mga5 openssh-askpass-common-6.6p1-5.9.mga5 openssh-askpass-6.6p1-5.9.mga5 openssh-askpass-gnome-6.6p1-5.9.mga5 openssh-ldap-6.6p1-5.9.mga5 from openssh-6.6p1-5.9.mga5.src.rpm
Assignee: guillomovitch => qa-bugsSummary: openssh new security issue CVE-2015-8325 => openssh new security issues CVE-2015-8325, CVE-2016-6210, and CVE-2016-6515Severity: normal => major
Package(s) under test: openssh-clients openssh-server openssh % sudo urpmi openssh-clients Package openssh-clients-6.6p1-5.9.mga5.x86_64 is already installed % sudo urpmi openssh-server Package openssh-server-6.6p1-5.9.mga5.x86_64 is already installed % sudo urpmi openssh Package openssh-6.6p1-5.9.mga5.x86_64 is already installed Tested ssh from this system to various other linux servers with no errors Tested ssh to this system from linux clients with no errors
CC: (none) => makowski.mageiaWhiteboard: (none) => MGA5-64-OK
Whiteboard: MGA5-64-OK => MGA5-64-OK advisoryKeywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0280.html
Status: NEW => RESOLVEDResolution: (none) => FIXED