It's a simple patch:
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-7.2p2-CVE-2015-8325.patch?h=f23&id=669db415332fd00d30aef4fed70ddca12f39afbf

Fixed in openssh-7.2p2-2.mga6 in Cauldron by Guillaume.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Fedora patch checked into Mageia 5 SVN.  This issue only affects a non-default and unlikely configuration, so no need to push an update for it at this time.  The patch will be included in any future update.

Fedora has issued an advisory today (August 10):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/X2L6RW34VFNXYNVVN2CN73YAGJ5VMTFU/

It fixes CVE-2016-6515, a DoS issue related to running crypt on long passwords.

LWN reference:
http://lwn.net/Vulnerabilities/696931/

It was fixed upstream in 7.3 (which is in Cauldron).

Patched package uploaded for Mageia 5.

I've also included a patch that fixes CVE-2016-6210 and a related issue, although at least for CVE-2016-6210, Mageia systems wouldn't generally be affected as we use Blowfish by default.

Advisory:
========================

Updated openssh packages fix security vulnerabilities:

The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when
the UseLogin feature is enabled and PAM is configured to read .pam_environment
files in user home directories, allows local users to gain privileges by
triggering a crafted environment for the /bin/login program, as demonstrated
by an LD_PRELOAD environment variable (CVE-2015-8325).

When SSHD tries to authenticate a non-existing user, it will pick up a fake
password structure hard-coded in the SSHD source code. An attacker can measure
timing information to determine if a user exists when verifying a password
(CVE-2016-6210).

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does
not limit password lengths for password authentication, which allows remote
attackers to cause a denial of service (crypt CPU consumption) via a long
string (CVE-2016-6515).

Note that CVE-2015-8325 and CVE-2016-6210 wouldn't affect most Mageia systems,
as UseLogin is not enabled by default and Mageia uses Blowfish password hashes
by default.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8325
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6515
https://www.debian.org/security/2016/dsa-3550
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6210
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/X2L6RW34VFNXYNVVN2CN73YAGJ5VMTFU/
========================

Updated packages in core/updates_testing:
========================
openssh-6.6p1-5.9.mga5
openssh-clients-6.6p1-5.9.mga5
openssh-server-6.6p1-5.9.mga5
openssh-askpass-common-6.6p1-5.9.mga5
openssh-askpass-6.6p1-5.9.mga5
openssh-askpass-gnome-6.6p1-5.9.mga5
openssh-ldap-6.6p1-5.9.mga5

from openssh-6.6p1-5.9.mga5.src.rpm

Assignee: guillomovitch => qa-bugs
Summary: openssh new security issue CVE-2015-8325 => openssh new security issues CVE-2015-8325, CVE-2016-6210, and CVE-2016-6515
Severity: normal => major

Package(s) under test:
openssh-clients openssh-server openssh

% sudo urpmi openssh-clients
Package openssh-clients-6.6p1-5.9.mga5.x86_64 is already installed

% sudo urpmi openssh-server
Package openssh-server-6.6p1-5.9.mga5.x86_64 is already installed

% sudo urpmi openssh
Package openssh-6.6p1-5.9.mga5.x86_64 is already installed

Tested ssh from this system to various other linux servers with no errors

Tested ssh to this system from linux clients with no errors

CC: (none) => makowski.mageia
Whiteboard: (none) => MGA5-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0280.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED