Ubuntu has issued an advisory on March 10: https://ubuntu.com/security/notices/USN-4762-1 The issue is fixed upstream in 8.5. Mageia 7 is also affected.
CC: (none) => mageiaWhiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 8.5
Fedora has issued an advisory for this on March 23: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TXST2CML2MWY3PNVUXX7FFJE3ATJMNVZ/ The issue was introduced in 8.2, so Mageia 7 isn't affected.
Whiteboard: MGA7TOO => (none)Status comment: Fixed upstream in 8.5 => Fixed upstream in 8.5p1
Assigtning to Guillaume, the registered & active 'openssh' maintainer.
Assignee: bugsquad => guillomovitch
SRPM: openssh-8.4p1-2.1.mga8.src.rpm i586: openssh-8.4p1-2.1.mga8.i586.rpm openssh-askpass-common-8.4p1-2.1.mga8.i586.rpm openssh-askpass-gnome-8.4p1-2.1.mga8.i586.rpm openssh-clients-8.4p1-2.1.mga8.i586.rpm openssh-server-8.4p1-2.1.mga8.i586.rpm x86_64: openssh-8.4p1-2.1.mga8.x86_64.rpm openssh-askpass-common-8.4p1-2.1.mga8.x86_64.rpm openssh-askpass-gnome-8.4p1-2.1.mga8.x86_64.rpm openssh-clients-8.4p1-2.1.mga8.x86_64.rpm openssh-server-8.4p1-2.1.mga8.x86_64.rpm
Assignee: guillomovitch => qa-bugs
MGA8 - 64 bit - openssh-8.4p1-2.1.mga8.x86_64 - openssh-clients-8.4p1-2.1.mga8.x86_64 --- generated a new ssh key using ssh-keygen I am able to ssh to remove server. Thank goodness, this fixes a long standing issue I've been suffering in MGA8.
CC: (none) => brtians1
Advisory: ======================== Updated openssh packages fix a security vulnerability: ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host (CVE-2021-28041). References: - https://bugs.mageia.org/show_bug.cgi?id=29001 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28041 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TXST2CML2MWY3PNVUXX7FFJE3ATJMNVZ/ - https://ubuntu.com/security/notices/USN-4762-1 ======================== Updated packages in core/updates_testing: ======================== openssh-8.4p1-2.1.mga8 openssh-askpass-common-8.4p1-2.1.mga8 openssh-askpass-gnome-8.4p1-2.1.mga8 openssh-clients-8.4p1-2.1.mga8 openssh-server-8.4p1-2.1.mga8 from SRPM: openssh-8.4p1-2.1.mga8.src.rpm
CVE: (none) => CVE-2021-28041Keywords: (none) => advisoryStatus comment: Fixed upstream in 8.5p1 => (none)CC: (none) => ouaurelien
(In reply to Brian Rockwell from comment #4) > MGA8 - 64 bit > > > - openssh-8.4p1-2.1.mga8.x86_64 > - openssh-clients-8.4p1-2.1.mga8.x86_64 > > --- > > generated a new ssh key using ssh-keygen > > I am able to ssh to remove server. Same tests. OK. Validating.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0261.html
Status: NEW => RESOLVEDResolution: (none) => FIXED