Debian-LTS has issued an advisory today (November 14): https://www.debian.org/lts/security/2022/dla-3187 The issue is fixed upstream in 2022.82. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 2022.82Whiteboard: (none) => MGA8TOO
Updated Cauldron to ver. 2022.83 which includes a fix.
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
Dan has uploaded dropbear-2020.81-1.1.mga8 for Mageia 8.
CC: (none) => danStatus comment: Fixed upstream in 2022.82 => (none)Assignee: dan => qa-bugs
dropbear-2020.81-1.1.mga8 is in updates_testing. QA regression test method: 1. Install/upgrade the fixed dropbear RPM version 2. Set up a local SSH server (it doesn't have to be Dropbear) to allow logins by the local user. 3. Execute: dbclient -o DisableTrivialAuth=yes localhost echo OK and log in, if necessary. 4. Test passes if "OK" is displayed AND no error messages are displayed (especially messages about unknown configuration options). Advisory: ======================== Updated dropbear package fixes a security vulnerability in dbclient:. Due to a non-RFC-compliant check of the available authentication methods in the client-side SSH code, it is possible for an SSH server to change the login process in its favor. This attack can bypass additional security measures such as FIDO2 tokens or SSH-Askpass. Thus, it allows an attacker to abuse a forwarded agent for logging on to another server unnoticed. The fix adds a new option, DisableTrivialAuth, to dbclient to disable this attack vector. Invoke dbclient like this: "dbclient -o DisableTrivialAuth=yes localhost …" to enable this mitigation on each dbclient invocation. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36369 https://github.com/mkj/dropbear/pull/128 ======================== Updated packages in core/updates_testing: ======================== dropbear-2020.81-1.1.mga8 from dropbear-2020.81-1.1.mga8.src.rpm
Whiteboard: (none) => has_procedure
MGA8-64 MATE on Acer Aspire 5253 No installation issues Trying to follow bug 23493 Comment 1, but getting into all sorts of problems # systemctl stop sshd.service # systemctl start dropbear.service # systemctl -l status dropbear.service ● dropbear.service - Dropbear SSH Server Daemon Loaded: loaded (/usr/lib/systemd/system/dropbear.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2022-11-18 15:19:21 CET; 35min ago Process: 14031 ExecStart=/usr/sbin/dropbear $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 14032 (dropbear) Tasks: 1 (limit: 4364) Memory: 312.0K CPU: 397ms CGroup: /system.slice/dropbear.service └─14032 /usr/sbin/dropbear So far so good remark then: python-paramiko does not exist anymore in our repo, I find python3-paramiko # ssh mach7 echo Working The authenticity of host 'mach7 (192.168.2.7)' can't be established. ECDSA key fingerprint is SHA256:/YjHIhPZYhN3pAQxIt6gxPCNZf162y/0LMsHluzLcEQ. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'mach7,192.168.2.7' (ECDSA) to the list of known hosts. root@mach7's password: /usr/bin/xauth: file /root/.Xauthority does not exist Working [root@mach7 ~]# ssh mach7 echo Working root@mach7's password: Working I think this is acceptable, but as normal user $ ssh mach7 echo Working The authenticity of host 'mach7 (192.168.2.7)' can't be established. ECDSA key fingerprint is SHA256:/YjHIhPZYhN3pAQxIt6gxPCNZf162y/0LMsHluzLcEQ. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'mach7,192.168.2.7' (ECDSA) to the list of known hosts. tester8@mach7's password: Permission denied, please try again. $ curl -ORL https://bugfuzz.com/stuff/ssh-check-username.py % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2655 100 2655 0 0 4109 0 --:--:-- --:--:-- --:--:-- 4109 [tester8@mach7 ~]$ python ssh-check-username.py --port 22 127.0.0.1 $USER File "ssh-check-username.py", line 68 print '[-] Failed to connect' ^ SyntaxError: Missing parentheses in call to 'print'. Did you mean print('[-] Failed to connect')? Changed in the downloaded file the print statements as suggested and also #!/usr/bin/env python3 but $ python3 ssh-check-username.py --port 22 127.0.0.1 $USER Traceback (most recent call last): File "ssh-check-username.py", line 39, in <module> old_service_accept = paramiko.auth_handler.AuthHandler._handler_table[ TypeError: 'property' object is not subscriptable And here I am definitely lost.
CC: (none) => herman.viaene
The QA procedure for bug 23493 is irrelevant to this bug. Use the procedure in comment #3.
# systemctl stop sshd.service # systemctl start dropbear.service # systemctl -l status dropbear.service ● dropbear.service - Dropbear SSH Server Daemon Loaded: loaded (/usr/lib/systemd/system/dropbear.service; disabled; vendor preset: disabled) Active: active (running) since Sun 2022-11-20 10:10:02 CET; 5s ago Process: 3766 ExecStart=/usr/sbin/dropbear $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 3767 (dropbear) Tasks: 1 (limit: 4364) Memory: 1.0M CPU: 15ms CGroup: /system.slice/dropbear.service └─3767 /usr/sbin/dropbear Nov 20 10:10:02 mach7.hviaene.thuis systemd[1]: Starting Dropbear SSH Server Daemon... Nov 20 10:10:02 mach7.hviaene.thuis dropbear[3766]: Failed loading /etc/dropbear/dropbear_ed25519_host_key Nov 20 10:10:02 mach7.hviaene.thuis systemd[1]: dropbear.service: Can't open PID file /run/dropbear.pid (yet?) after> Nov 20 10:10:02 mach7.hviaene.thuis dropbear[3767]: Running in background Nov 20 10:10:02 mach7.hviaene.thuis systemd[1]: Started Dropbear SSH Server Daemon. Then as normal user $ dbclient -o DisableTrivialAuth=yes localhost echo OK Host 'localhost' is not in the trusted hosts file. (ecdsa-sha2-nistp256 fingerprint sha1!! 54:cf:a1:b0:1e:8f:87:90:4f:64:5c:ad:79:b0:ca:dd:56:ac:66:ba) Do you want to continue connecting? (y/n) y tester8@localhost's password: OK So, good to go.
Whiteboard: has_procedure => has_procedure MGA8-64-OK
Validating. Advisory in comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0436.html
Status: NEW => RESOLVEDResolution: (none) => FIXED