RedHat has issued an advisory today (June 20): https://rhn.redhat.com/errata/RHSA-2012-0884.html Only Mageia 1 is affected. Patch is here: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/gss-serv.c.diff?r1=1.22;r2=1.23
CC: (none) => guillomovitch
CC: (none) => mageia
CC: (none) => pterjan
I've patched the SPEC on mageia 1 and pushed to updates testing. Please note that we appear not to enable GSSAPI by default in our configs and thus this is likely a lower risk for us than for RedHat. I didn't look into the other bugs mentioned so if someone wants to take a more holistic look that's fine. I only reacted here due to it being a CVE (albeit a low risk one). I only have one mga1 box left and it will be upgraded soon once I fix the postgrey issue, so I will test this change in due course.
Posting an advisory now. Will wait to assign to QA until later. Advisory: ======================== Updated openssh packages fix security vulnerability: The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and earlier, when gssapi-with-mic authentication is enabled, allows remote authenticated users to cause a denial of service (memory consumption) via a large value in a certain length field (CVE-2011-5000). Note: only systems on which GSSAPI authentication has been enabled are vulnerable to this flaw, as it is disabled by default in Mageia. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5000 https://rhn.redhat.com/errata/RHSA-2012-0884.html ======================== Updated packages in core/updates_testing: ======================== openssh-5.8p1-2.1.mga1 openssh-clients-5.8p1-2.1.mga1 openssh-server-5.8p1-2.1.mga1 openssh-askpass-common-5.8p1-2.1.mga1 openssh-askpass-5.8p1-2.1.mga1 openssh-askpass-gnome-5.8p1-2.1.mga1 from openssh-5.8p1-2.1.mga1.src.rpm
Tested the package on x86_64. I do not have GSSAPI enabled so cannot test vuln, but regular operation is unaffected as expected.
Assigning to QA now. Advisory is in Comment 2.
Assignee: bugsquad => qa-bugs
Testing complete on Mageia 1 i586. As gssapi is not normally enabled, just looking for regressions. Could someone from the sysadmin team push the srpm openssh-5.8p1-2.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated openssh packages fix security vulnerability: The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and earlier, when gssapi-with-mic authentication is enabled, allows remote authenticated users to cause a denial of service (memory consumption) via a large value in a certain length field (CVE-2011-5000). Note: only systems on which GSSAPI authentication has been enabled are vulnerable to this flaw, as it is disabled by default in Mageia. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5000 https://rhn.redhat.com/errata/RHSA-2012-0884.html https://bugs.mageia.org/show_bug.cgi?id=6524
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: (none) => mga1-32-OK, mga1-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0145
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED