Fedora has issued an advisory on November 28: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VZIQDU7D6MLXFXZ4R3ZG2FCH6EDR3MBD/ The RedHat bug links to the upstream commit that fixed the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1506630 Mageia 5 and Mageia 6 are also affected.
Blocks: (none) => 19987Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to the registered openssh maintainer.
CC: (none) => marja11
Guillaume updated to OpenSSH 7.6p1 in Cauldron, which fixes this.
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6
Advisory: ======================== Updated openssh packages fix security vulnerability: The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files (CVE-2017-15906). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15906 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VZIQDU7D6MLXFXZ4R3ZG2FCH6EDR3MBD/ ======================== Updated packages in core/updates_testing: ======================== openssh-7.5p1-2.1.mga6 openssh-clients-7.5p1-2.1.mga6 openssh-server-7.5p1-2.1.mga6 openssh-askpass-common-7.5p1-2.1.mga6 openssh-askpass-7.5p1-2.1.mga6 openssh-askpass-gnome-7.5p1-2.1.mga6 openssh-ldap-7.5p1-2.1.mga6 from openssh-7.5p1-2.1.mga6.src.rpm
Assignee: guillomovitch => qa-bugsWhiteboard: MGA5TOO => (none)CC: (none) => guillomovitch
MGA6-32 on Dell Latitude D600 No installation issues Found no previous examples of testing in bugs or Wiki, so tried my own # systemctl start sshd # systemctl -l status sshd ● sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled) Active: active (running) since do 2017-12-28 16:33:18 CET; 19s ago Docs: man:sshd(8) man:sshd_config(5) Main PID: 28318 (sshd) CGroup: /system.slice/sshd.service └─28318 /usr/sbin/sshd -D dec 28 16:33:18 xxxx systemd[1]: Starting OpenSSH server daemon... dec 28 16:33:18 xxxx sshd[28318]: Server listening on 0.0.0.0 port 22. dec 28 16:33:18 xxxx sshd[28318]: Server listening on :: port 22. dec 28 16:33:18 xxxx systemd[1]: Started OpenSSH server daemon. and for client ssh <user>@<mydesktop> Password: [xxxx@yyyy ~]$ cd Documents/ [xxxx@yyyy Documents]$ ls empty.odb seems all OK
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Quick work, Herman. 1 architecture 1 release OK -> validate!
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0483.html
Status: NEW => RESOLVEDResolution: (none) => FIXED