Ubuntu has issued an advisory on February 26: https://usn.ubuntu.com/3894-1/ The issue was fixed upstream in 3.28.0. The upstream patch is linked from: https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20781.html
Assignee: bugsquad => gnomeCC: (none) => marja11
Patched package uploaded for Mageia 6 by Jani. Advisory: ======================== Updated gnome-keyring package fixes security vulnerability: It was discovered that GNOME Keyring incorrectly cleared out credentials supplied to the PAM module. A local attacker could possibly use this issue to discover login credentials (CVE-2018-20781). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781 https://usn.ubuntu.com/3894-1/ ======================== Updated packages in core/updates_testing: ======================== gnome-keyring-3.20.0-1.1.mga6 from gnome-keyring-3.20.0-1.1.mga6.src.rpm
CC: (none) => jani.valimaaAssignee: gnome => qa-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues, updated existing package Hunting for a testing method, found https://wiki.archlinux.org/index.php/GNOME/Keyring and did following at CLI: $ ssh-add -L The agent has no identities. ]$ ssh-add ~/.ssh/id_rsa /home/tester6/.ssh/id_rsa: No such file or directory So, no keys present yet. $ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/tester6/.ssh/id_rsa): Created directory '/home/tester6/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/tester6/.ssh/id_rsa. Your public key has been saved in /home/tester6/.ssh/id_rsa.pub. The key fingerprint is: and gives the key data..... $ ssh-add ~/.ssh/id_rsa Enter passphrase for /home/tester6/.ssh/id_rsa: Identity added: /home/tester6/.ssh/id_rsa (/home/tester6/.ssh/id_rsa) $ ssh-copy-id herman@xxxx Warning: Permanently added 'xxxx,aaa.bbb.ccc.ddd' (ECDSA) to the list of known hosts. Password: Password: Password: herman@xxxx's password: Now try logging into the machine, with "ssh 'herman@xxxx'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. $ ssh 'herman@xxxx' Last login: Mon Jan 7 16:27:46 2019 from 192.168.2.6 [herman@xxxx]$ pwd /home/herman/ So the whole chain seems to work.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0111.html
Status: NEW => RESOLVEDResolution: (none) => FIXED