SUSE has issued an advisory on January 18: http://lists.suse.com/pipermail/sle-security-updates/2019-January/005045.html openSUSE has issued advisories for this on January 28 and 29: https://lists.opensuse.org/opensuse-updates/2019-01/msg00089.html https://lists.opensuse.org/opensuse-updates/2019-01/msg00094.html openSUSE has since reverted the patch fixing these issues, however. Mageia 6 is also affected.
Assignee: bugsquad => guillomovitchWhiteboard: (none) => MGA6TOO
Debian has issued an advisory for two of these issues on February 9: https://www.debian.org/security/2019/dsa-4387
Ubuntu has as well on February 7: https://usn.ubuntu.com/3885-1/
Updated advisory from Ubuntu (the fix was incomplete) from March 4: https://usn.ubuntu.com/3885-2/
openSUSE has issued an advisory for this today (March 8): https://lists.opensuse.org/opensuse-updates/2019-03/msg00033.html
OpenSSH 8.0p1 contains a fix for CVE-2019-6111: https://www.openwall.com/lists/oss-security/2019/04/18/1
openssh-8.0p1-1.mga7 uploaded for Cauldron by Guillaume. I'm not sure if it has fixes for CVE-2019-6109 or CVE-2019-6110.
The upstream patch referenced by the Debian advisory for CVE-2019-6109 is included in openssh 8.0p1, so I'd say yes for this this one. I didn't found any reference to a patch for CVE-2019-6110, tough.
Thanks. Looking over this again, it looks like nobody ended up fixing CVE-2019-6110 and upstream doesn't think it's worth trying and ultimately scp needs to be rewritten to use the sftp protocol underneath. We can issue an update for the other two issues.
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6Summary: openssh new security issues CVE-2019-6109 and CVE-2019-611[01] => openssh new security issues CVE-2019-6109 and CVE-2019-6111
Advisory: ======================== Updated openssh packages fix security vulnerabilities: Due to missing character encoding in the progress display, the object name can be used to manipulate the client output, for example to employ ANSI codes to hide additional files being transferred (CVE-2019-6109). Due to scp client insufficient input validation in path names sent by server, a malicious server can do arbitrary file overwrites in target directory. If the recursive (-r) option is provided, the server can also manipulate subdirectories as well (CVE-2019-6111). The check added in this version can lead to regression if the client and the server have differences in wildcard expansion rules. If the server is trusted for that purpose, the check can be disabled with a new -T option to the scp client. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6109 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 https://www.debian.org/security/2019/dsa-4387 ======================== Updated packages in core/updates_testing: ======================== openssh-7.5p1-2.4.mga6 openssh-clients-7.5p1-2.4.mga6 openssh-server-7.5p1-2.4.mga6 openssh-askpass-common-7.5p1-2.4.mga6 openssh-askpass-7.5p1-2.4.mga6 openssh-askpass-gnome-7.5p1-2.4.mga6 openssh-ldap-7.5p1-2.4.mga6 from openssh-7.5p1-2.4.mga6.src.rpm
CC: (none) => guillomovitchAssignee: guillomovitch => qa-bugs
MGA6-64 Plasma on Lenovo B50 No instalation isssues Testing locally on this machine: # systemctl start sshd # systemctl -l status sshd ● sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled) Active: active (running) since zo 2019-05-05 14:10:48 CEST; 24s ago Docs: man:sshd(8) man:sshd_config(5) Main PID: 28393 (sshd) CGroup: /system.slice/sshd.service └─28393 /usr/sbin/sshd -D mei 05 14:10:48 mach5.hviaene.thuis systemd[1]: Starting OpenSSH server daemon... mei 05 14:10:48 mach5.hviaene.thuis sshd[28393]: Server listening on 0.0.0.0 port 22. mei 05 14:10:48 mach5.hviaene.thuis sshd[28393]: Server listening on :: port 22. mei 05 14:10:48 mach5.hviaene.thuis systemd[1]: Started OpenSSH server daemon. # ssh tester6@<mylaptop> Password: Last login: Sun May 5 14:13:37 2019 from fe80::b66d:83ff:fe0d:c14%wlp9s0 [tester6@mach5 ~]$ pwd /home/tester6 Seems to work OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-64-OK
Installed and tested without issues. Tests: - normal shell (client and server); - sshfs mount (client and server); - git clone from github using ssh (client); - sftp copy (client and server); - rsync (client and server); System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.14.106-desktop-1.mga6 #1 SMP Thu Mar 14 18:01:29 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep openssh | sort openssh-7.5p1-2.4.mga6 openssh-askpass-7.5p1-2.4.mga6 openssh-askpass-common-7.5p1-2.4.mga6 openssh-askpass-qt5-2.0.3-1.mga6 openssh-clients-7.5p1-2.4.mga6 openssh-server-7.5p1-2.4.mga6
CC: (none) => mageia
Validating. Advisory in Comment 9.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0156.html
Status: NEW => RESOLVEDResolution: (none) => FIXED