33346 – openssh new security issue CVE-2024-6387

Bug 33346 - openssh new security issue CVE-2024-6387

Summary: openssh new security issue CVE-2024-6387

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-07-01 11:38 CEST by Nicolas Salguero
Modified:	2024-07-03 18:37 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	openssh-9.3p1-2.1.mga9.src.rpm
CVE:	CVE-2024-6387
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-07-01 11:38:24 CEST

Debian has released an advisory on July 1:
https://lists.debian.org/debian-security-announce/2024/msg00135.html

See also:
https://www.openwall.com/lists/oss-security/2024/07/01/3

The problem is fixed in version 9.8.

Mageia 9 is also affected.

Nicolas Salguero 2024-07-01 11:40:46 CEST

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => openssh-9.3p1-4.mga10.src.rpm
Status comment: (none) => Fixed upstream in 9.8 and patch available from upsteam and Debian
CVE: (none) => CVE-2024-6387

Comment 1 Nicolas Salguero 2024-07-01 14:43:52 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

regreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems. (CVE-2024-6387)

References:
https://lists.debian.org/debian-security-announce/2024/msg00135.html
https://www.openwall.com/lists/oss-security/2024/07/01/3
========================

Updated packages in core/updates_testing:
========================
openssh-9.3p1-2.2.mga9
openssh-askpass-common-9.3p1-2.2.mga9
openssh-askpass-gnome-9.3p1-2.2.mga9
openssh-clients-9.3p1-2.2.mga9
openssh-keycat-9.3p1-2.2.mga9
openssh-server-9.3p1-2.2.mga9

from SRPM:
openssh-9.3p1-2.2.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 9.8 and patch available from upsteam and Debian => (none)
Severity: normal => critical
Assignee: bugsquad => qa-bugs
Version: Cauldron => 9
Source RPM: openssh-9.3p1-4.mga10.src.rpm => openssh-9.3p1-2.1.mga9.src.rpm

katnatek 2024-07-01 21:42:29 CEST

Keywords: (none) => advisory

Comment 2 katnatek 2024-07-02 01:59:39 CEST

RH mageia 9 x86_64

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing openssh-server-9.3p1-2.2.mga9.x86_64.rpm openssh-askpass-gnome-9.3p1-2.2.mga9.x86_64.rpm openssh-9.3p1-2.2.mga9.x86_64.rpm openssh-askpass-common-9.3p1-2.2.mga9.x86_64.rpm openssh-clients-9.3p1-2.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/5: openssh               ##################################################################################################
      2/5: openssh-clients       ##################################################################################################
      3/5: openssh-askpass-common
                                 ##################################################################################################
      4/5: openssh-askpass-gnome ##################################################################################################
      5/5: openssh-server        ##################################################################################################
      1/5: removing openssh-askpass-gnome-9.3p1-2.1.mga9.x86_64
                                 ##################################################################################################
      2/5: removing openssh-server-9.3p1-2.1.mga9.x86_64
                                 ##################################################################################################
      3/5: removing openssh-askpass-common-9.3p1-2.1.mga9.x86_64
                                 ##################################################################################################
      4/5: removing openssh-clients-9.3p1-2.1.mga9.x86_64
                                 ##################################################################################################
      5/5: removing openssh-9.3p1-2.1.mga9.x86_64
                                 ##################################################################################################

systemctl restart sshd.service 
[root@jgrey ~]# systemctl status sshd.service 
● sshd.service - OpenSSH server daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; preset: enabled)
     Active: active (running) since Mon 2024-07-01 16:26:44 CST; 8s ago
       Docs: man:sshd(8)
             man:sshd_config(5)
   Main PID: 278792 (sshd)
      Tasks: 1 (limit: 6904)
     Memory: 1.3M
        CPU: 36ms
     CGroup: /system.slice/sshd.service
             └─278792 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

jul 01 16:26:44 jgrey.phoenix systemd[1]: Starting sshd.service...
jul 01 16:26:44 jgrey.phoenix sshd[278792]: Server listening on 192.168.1.3 port 22.
jul 01 16:26:44 jgrey.phoenix systemd[1]: Started sshd.service.

Conect by sfto to my server and transfer a file OK
Conect to remote sever by ssh  OK

Comment 3 Dan Fandrich 2024-07-02 07:31:14 CEST

I installed the packages on x86_64 and haven't found any problems, testing ssh, sftp, rsync, X11, local and remote port forwarding.

CC: (none) => dan

Comment 4 Marc Krämer 2024-07-02 14:00:24 CEST

works, as expected. Since no simple test against the security issue is available we must consider it fixed.

Cauldron: shouldn't we push the newer version (9.8) to cauldron instead of the patch

CC: (none) => mageia

Marc Krämer 2024-07-02 14:02:31 CEST

Whiteboard: (none) => MGA9-64-OK

Comment 5 Nicolas Salguero 2024-07-02 14:16:14 CEST

(In reply to Marc Krämer from comment #4)
> Cauldron: shouldn't we push the newer version (9.8) to cauldron instead of
> the patch

Yes, we should but, sadly, I am unable to do it.  If someone else wants to try to do it, I would be more than happy.

Comment 6 Marc Krämer 2024-07-02 14:36:06 CEST

@Nico: why? what is the problem? maybe I can help? Should we switch to mail, for discussion?

Comment 7 Nicolas Salguero 2024-07-02 14:51:54 CEST

(In reply to Marc Krämer from comment #6)
> @Nico: why? what is the problem? maybe I can help? Should we switch to mail,
> for discussion?

I lack knowledge about how openssh was historically packaged.  It seems we more or less follow how it is packaged into Fedora.  When I tried, some patches did not apply and I am unsure if those patches are needed or not.

Comment 8 Marc Krämer 2024-07-02 15:20:26 CEST

I see. Had the same view on this. Guillaume has synced it with fedora. Did not remember he gave it up...
I guess we have to make decissions on the patches. I guess it would be a good idea to get more to vanilla and remove (old) patches we can't maintain, e.g. openssh-7.8p1-role-mls which adds selinux roles, not officially supported.

I'll have a look on this. It really is a bunch of patches....

Comment 9 Marc Krämer 2024-07-02 17:29:49 CEST

Fixed, removed, deactivated some of the patches.
A build is running for cauldron.

Have to recheck some of the deactived ones. But at least it compiles.

Comment 10 papoteur 2024-07-02 18:14:47 CEST

Installed in my RPI4-arm64
(In reply to Nicolas Salguero from comment #1)
> openssh-9.3p1-2.2.mga9
> openssh-clients-9.3p1-2.2.mga9
> openssh-server-9.3p1-2.2.mga9

Restarted sshd.service
Disconnected. Connection still works.
OK for my POV.

CC: (none) => yvesbrungard

Comment 11 Thomas Andrews 2024-07-03 14:07:33 CEST

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 12 Mageia Robot 2024-07-03 18:37:13 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0250.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.