Bug 18222 - openssh new security issues CVE-2015-8325, CVE-2016-6210, and CVE-2016-6515
Summary: openssh new security issues CVE-2015-8325, CVE-2016-6210, and CVE-2016-6515
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/684235/
Whiteboard: MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Reported: 2016-04-18 19:22 CEST by David Walser
Modified: 2016-08-31 17:33 CEST (History)
3 users (show)

See Also:
Source RPM: openssh-7.2p2-1.mga6.src.rpm
Status comment:


Description David Walser 2016-04-18 19:22:19 CEST
Debian has issued an advisory on April 15:

Mageia 5 is also affected.

UseLogin is also not enabled by default in Mageia.
David Walser 2016-04-18 19:22:48 CEST

Whiteboard: (none) => MGA5TOO

Comment 2 David Walser 2016-04-25 19:33:14 CEST
Fixed in openssh-7.2p2-2.mga6 in Cauldron by Guillaume.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 3 David Walser 2016-05-12 18:30:09 CEST
Fedora patch checked into Mageia 5 SVN.  This issue only affects a non-default and unlikely configuration, so no need to push an update for it at this time.  The patch will be included in any future update.
Comment 4 David Walser 2016-08-11 00:24:01 CEST
Fedora has issued an advisory today (August 10):

It fixes CVE-2016-6515, a DoS issue related to running crypt on long passwords.

LWN reference:

It was fixed upstream in 7.3 (which is in Cauldron).

Patched package uploaded for Mageia 5.

I've also included a patch that fixes CVE-2016-6210 and a related issue, although at least for CVE-2016-6210, Mageia systems wouldn't generally be affected as we use Blowfish by default.


Updated openssh packages fix security vulnerabilities:

The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when
the UseLogin feature is enabled and PAM is configured to read .pam_environment
files in user home directories, allows local users to gain privileges by
triggering a crafted environment for the /bin/login program, as demonstrated
by an LD_PRELOAD environment variable (CVE-2015-8325).

When SSHD tries to authenticate a non-existing user, it will pick up a fake
password structure hard-coded in the SSHD source code. An attacker can measure
timing information to determine if a user exists when verifying a password

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does
not limit password lengths for password authentication, which allows remote
attackers to cause a denial of service (crypt CPU consumption) via a long
string (CVE-2016-6515).

Note that CVE-2015-8325 and CVE-2016-6210 wouldn't affect most Mageia systems,
as UseLogin is not enabled by default and Mageia uses Blowfish password hashes
by default.


Updated packages in core/updates_testing:

from openssh-6.6p1-5.9.mga5.src.rpm

Assignee: guillomovitch => qa-bugs
Summary: openssh new security issue CVE-2015-8325 => openssh new security issues CVE-2015-8325, CVE-2016-6210, and CVE-2016-6515
Severity: normal => major

Comment 5 Philippe Makowski 2016-08-16 22:30:50 CEST
Package(s) under test:
openssh-clients openssh-server openssh

% sudo urpmi openssh-clients
Package openssh-clients-6.6p1-5.9.mga5.x86_64 is already installed

% sudo urpmi openssh-server
Package openssh-server-6.6p1-5.9.mga5.x86_64 is already installed

% sudo urpmi openssh
Package openssh-6.6p1-5.9.mga5.x86_64 is already installed

Tested ssh from this system to various other linux servers with no errors

Tested ssh to this system from linux clients with no errors

CC: (none) => makowski.mageia
Whiteboard: (none) => MGA5-64-OK

Dave Hodgins 2016-08-18 23:09:15 CEST

Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2016-08-31 17:33:27 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.