Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 597360 (CVE-2016-8858) - <net-misc/openssh-7.3_p1-r7: Memory exhaustion due to unregistered KEXINIT handler after receiving message
Summary: <net-misc/openssh-7.3_p1-r7: Memory exhaustion due to unregistered KEXINIT ha...
Status: RESOLVED FIXED
Alias: CVE-2016-8858
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa cve]
Keywords:
: 606144 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-10-17 12:43 UTC by Agostino Sarubbo
Modified: 2017-01-18 09:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-10-17 12:43:54 UTC 
From ${URL} :

A memory exhaustion issue in OpenSSH that can be triggered before user authentication was found. An unauthenticated attacker could consume approx. 400 MB 
of memory per each connection. The attacker could set up multiple such connections to run out of server’s memory.   

Affected versions: openssh-6.8p1, openssh-6.9p1, openssh-7.0p1, openssh-7.1p1, openssh-7.2p1, openssh-7.3p1. 

Upstream patch:
https://github.com/openssh/openssh-portable/commit/ec165c392ca54317dbe3064a8c200de6531e89ad


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Patrick McLean gentoo-dev 2016-10-17 17:54:12 UTC 
commit 4a9ab68a607415d932b524eab2f523d1e9ce77e1
Author: Patrick McLean <chutzpah@gentoo.org>
Date:   Mon Oct 17 10:48:45 2016 -0700

    net-misc/openssh: Revision bump, add patch to fix a preauth memory consumption issue

    Gentoo-Bug: 597360

    Package-Manager: portage-2.3.2



Stabilization of this should be fine.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-11-12 12:40:02 UTC 
@arches, please stabilize:

=net-misc/openssh-7.3_p1-r7
Comment 3 Agostino Sarubbo gentoo-dev 2016-11-13 13:08:07 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-11-13 13:09:55 UTC 
x86 stable
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2016-11-14 17:20:36 UTC 
Stable on alpha.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2016-11-17 08:03:05 UTC 
Stable for HPPA PPC64.
Comment 7 Agostino Sarubbo gentoo-dev 2016-11-27 11:37:46 UTC 
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-11-27 11:40:49 UTC 
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-11-28 09:36:02 UTC 
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-11-28 09:39:16 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Comment 11 Markus Meier gentoo-dev 2016-11-29 17:40:49 UTC 
arm stable, all arches done.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-12-07 10:33:20 UTC 
This issue was resolved and addressed in
 GLSA 201612-18 at https://security.gentoo.org/glsa/201612-18
by GLSA coordinator Aaron Bauman (b-man).
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2016-12-07 10:34:06 UTC 
@maintainer(s), reopened for cleanup.
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 19:37:57 UTC 
Cleanup PR: https://github.com/gentoo/gentoo/pull/3405
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 21:46:42 UTC 
Cleaned up via 72c64a401d9595aa1da76ae25eda2b9e13b5234a
Comment 16 SpanKY gentoo-dev 2017-01-18 09:58:06 UTC 
*** Bug 606144 has been marked as a duplicate of this bug. ***