Fedora has issued an advisory today (January 16): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7BTRTRMCMO3OAWZ473K42G6BN2SJWZXG/ More information is in this message: https://www.openwall.com/lists/oss-security/2019/01/14/1 Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
SUSE has issued an advisory for this on January 18: http://lists.suse.com/pipermail/sle-security-updates/2019-January/005045.html It adds a few more related CVEs.
Summary: openssh new security issue CVE-2018-20685 => openssh new security issues CVE-2018-20685, CVE-2019-6109, CVE-2019-611[01]
Sorry for taking three days to assign this security bug :-/ Assigning to the registered maintainer.
Assignee: bugsquad => guillomovitchCC: (none) => marja11
openSUSE has issued advisories for this on January 28 and 29: https://lists.opensuse.org/opensuse-updates/2019-01/msg00089.html https://lists.opensuse.org/opensuse-updates/2019-01/msg00094.html
Moving CVE-2019-6109 and CVE-2019-611[01] to Bug 24308. CVE-2018-20685 fixed in openssh-7.9p1-2.mga7 in Cauldron.
Summary: openssh new security issues CVE-2018-20685, CVE-2019-6109, CVE-2019-611[01] => openssh new security issue CVE-2018-20685Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
Patched package uploaded for Mageia 6. Advisory: ======================== Updated openssh packages fix security vulnerability: In OpenSSH, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename (CVE-2018-20685). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20685 https://lists.opensuse.org/opensuse-updates/2019-01/msg00094.html ======================== Updated packages in core/updates_testing: ======================== openssh-7.5p1-2.3.mga6 openssh-clients-7.5p1-2.3.mga6 openssh-server-7.5p1-2.3.mga6 openssh-askpass-common-7.5p1-2.3.mga6 openssh-askpass-7.5p1-2.3.mga6 openssh-askpass-gnome-7.5p1-2.3.mga6 openssh-ldap-7.5p1-2.3.mga6 from openssh-7.5p1-2.3.mga6.src.rpm
Assignee: guillomovitch => qa-bugs
Installed and tested without issues. Client and server tests included: - bash terminal; - sshfs; - rsync; - git; - scp; - sftp; System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.14.89-desktop-1.mga6 #1 SMP Mon Dec 17 13:14:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep openssh | sort openssh-7.5p1-2.3.mga6 openssh-askpass-7.5p1-2.3.mga6 openssh-askpass-common-7.5p1-2.3.mga6 openssh-askpass-qt5-2.0.3-1.mga6 openssh-clients-7.5p1-2.3.mga6 openssh-server-7.5p1-2.3.mga6
Whiteboard: (none) => MGA6-64-OKCC: (none) => mageia
Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0067.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED