CVEs have been assigned for security issues fixed in OpenSSH 7.4: http://openwall.com/lists/oss-security/2016/12/19/5
Whiteboard: (none) => MGA5TOO
URL: (none) => https://lwn.net/Vulnerabilities/710082/
openssh updated to 7.4p1 in Cauldron by Guillaume.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
openSUSE has issued an advisory on January 31: https://lists.opensuse.org/opensuse-updates/2017-01/msg00178.html It fixes these issues as well as CVE-2016-8858: https://lwn.net/Vulnerabilities/713274/
Unfortunately, all those patches applies to version 7.2, whereas we have 6.6 in Mageia 5. Porting them will requires quite a lot work, I'm unable to provide currently.
Depends on: (none) => 22104
http://www.linuxsecurity.com/content/view/205876/170/ A new OpenSSH vulnerability was posted from Fedora.
CC: (none) => zombie_ryushu
CVE: (none) => CVE-2017-15906
@zombie: adding comments on already existing bug reports everytime a new vuln is announced doesn't allow proper tracking. Especially as the one you just reported applies for multiples versions of OpenSSH, whereas this tickets only applies to mageia 5.
Plus I already reported the new CVE in Bug 22104. Also, I already track RedHat, Fedora, SUSE, openSUSE, Debian, Ubuntu advisories and link to them directly. The linuxsecurity.com links aren't of interest to me. What I don't track anymore that I used to be able to before LWN went away were Debian-LTS, Slackware, and Gentoo, so if you see an advisory from them that I don't have a bug for, please file one. That would actually be helpful.
CVE: CVE-2017-15906 => (none)
According to Ubuntu, 6.6 isn't affected by CVE-2016-10010. Other than openSUSE, nobody has fixed these issues for older versions of OpenSSH (at least not Fedora, Debian, Ubuntu, or RedHat). They appear to be minor issues with mitigating circumstances that are difficult to exploit. I also agree with Guillaume that these patches would be too difficult to backport ourselves. RedHat did make a patch in their Bugzilla for CVE-2016-10012: https://bugzilla.redhat.com/show_bug.cgi?id=1406293 I've added patches for CVE-2016-8858, CVE-2016-10012, and CVE-2017-15906 in SVN.
Summary: openssh new security issues CVE-2016-10009 and CVE-2016-1001[0-2] => openssh new security issues CVE-2016-10009 and CVE-2016-1001[12]
According to RedHat, 6.6 isn't affected by CVE-2016-8858, so I've removed that patch. CVE-2016-10009 and CVE-2016-10011 will be WONTFIX, just to be clear.
Advisory: ======================== Updated openssh packages fix security vulnerabilities: It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process (CVE-2016-10012). The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files (CVE-2017-15906). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10012 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15906 https://bugzilla.redhat.com/show_bug.cgi?id=1406293 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VZIQDU7D6MLXFXZ4R3ZG2FCH6EDR3MBD/ ======================== Updated packages in core/updates_testing: ======================== openssh-6.6p1-5.10.mga5 openssh-clients-6.6p1-5.10.mga5 openssh-server-6.6p1-5.10.mga5 openssh-askpass-common-6.6p1-5.10.mga5 openssh-askpass-6.6p1-5.10.mga5 openssh-askpass-gnome-6.6p1-5.10.mga5 openssh-ldap-6.6p1-5.10.mga5 from openssh-6.6p1-5.10.mga5.src.rpm
CC: (none) => guillomovitchAssignee: guillomovitch => qa-bugs
On real hardware, ASRock motherboard, Athlon X2 7750, 8GB, nvidia Geforce 9800 GT graphics, Atheros wifi. Installed openssh-6.6p1-5.10.mga5 and openssh-clients-6.6p1-5.10.mga5. Rebooted, and used Firefox and wifi to open several sites, watch Youtube videos, download a file. No regressions noted. Looks good on 64-bit on this hardware.
Whiteboard: (none) => MGA-64-OKCC: (none) => andrewsfarm
Warrants proper testing.
Keywords: (none) => advisoryCC: (none) => davidwhodgins
Tested using ssh both ways between a Mageia 5 i586 vb guest and Mageia 5 x86-64 on the host. Validating the update.
Keywords: (none) => validated_updateWhiteboard: MGA-64-OK => MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0006.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED