Bug 6524 - openssh new security issue CVE-2011-5000
: openssh new security issue CVE-2011-5000
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 1
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/502711/
: mga1-32-OK, mga1-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-06-20 21:05 CEST by David Walser
Modified: 2012-07-09 17:41 CEST (History)
6 users (show)

See Also:
Source RPM: openssh-5.8p1-2.mga1.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-06-20 21:05:54 CEST
RedHat has issued an advisory today (June 20):
https://rhn.redhat.com/errata/RHSA-2012-0884.html

Only Mageia 1 is affected.  Patch is here:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/gss-serv.c.diff?r1=1.22;r2=1.23
Comment 1 Colin Guthrie 2012-06-25 10:39:39 CEST
I've patched the SPEC on mageia 1 and pushed to updates testing.

Please note that we appear not to enable GSSAPI by default in our configs and thus this is likely a lower risk for us than for RedHat.

I didn't look into the other bugs mentioned so if someone wants to take a more holistic look that's fine. I only reacted here due to it being a CVE (albeit a low risk one).

I only have one mga1 box left and it will be upgraded soon once I fix the postgrey issue, so I will test this change in due course.
Comment 2 David Walser 2012-06-25 15:05:41 CEST
Posting an advisory now.  Will wait to assign to QA until later.

Advisory:
========================

Updated openssh packages fix security vulnerability:

The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and
earlier, when gssapi-with-mic authentication is enabled, allows remote
authenticated users to cause a denial of service (memory consumption)
via a large value in a certain length field (CVE-2011-5000).

Note: only systems on which GSSAPI authentication has been enabled are
vulnerable to this flaw, as it is disabled by default in Mageia.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5000
https://rhn.redhat.com/errata/RHSA-2012-0884.html
========================

Updated packages in core/updates_testing:
========================
openssh-5.8p1-2.1.mga1
openssh-clients-5.8p1-2.1.mga1
openssh-server-5.8p1-2.1.mga1
openssh-askpass-common-5.8p1-2.1.mga1
openssh-askpass-5.8p1-2.1.mga1
openssh-askpass-gnome-5.8p1-2.1.mga1

from openssh-5.8p1-2.1.mga1.src.rpm
Comment 3 Colin Guthrie 2012-06-25 15:18:05 CEST
Tested the package on x86_64. I do not have GSSAPI enabled so cannot test vuln, but regular operation is unaffected as expected.
Comment 4 David Walser 2012-06-29 21:14:29 CEST
Assigning to QA now.  Advisory is in Comment 2.
Comment 5 Dave Hodgins 2012-07-04 03:41:18 CEST
Testing complete on Mageia 1 i586.

As gssapi is not normally enabled, just looking for regressions.

Could someone from the sysadmin team push the srpm
openssh-5.8p1-2.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated openssh packages fix security vulnerability:

The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and
earlier, when gssapi-with-mic authentication is enabled, allows remote
authenticated users to cause a denial of service (memory consumption)
via a large value in a certain length field (CVE-2011-5000).

Note: only systems on which GSSAPI authentication has been enabled are
vulnerable to this flaw, as it is disabled by default in Mageia.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5000
https://rhn.redhat.com/errata/RHSA-2012-0884.html

https://bugs.mageia.org/show_bug.cgi?id=6524
Comment 6 Thomas Backlund 2012-07-09 17:41:11 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0145

Note You need to log in before you can comment on or make changes to this bug.