Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 191321 - net-misc/openssh <4.7 X11 cookie privelege escalation (CVE-2007-4752)
Summary: net-misc/openssh <4.7 X11 cookie privelege escalation (CVE-2007-4752)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.frsirt.com/english/advisor...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-09-05 03:18 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2008-01-10 08:39 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2007-09-05 03:18:25 UTC
From: 	  djm@cvs.openbsd.org
	Subject: 	[openssh-unix-announce] Announce: OpenSSH 4.7 released
	Date: 	September 4, 2007 8:14:09 PM EDT
	To: 	  openssh-unix-announce@mindrot.org

OpenSSH 4.7 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots and purchased
T-shirts or posters.

T-shirt, poster and CD sales directly support the project. Pictures
and more information can be found at:
        http://www.openbsd.org/tshirts.html and
        http://www.openbsd.org/orders.html

For international orders use http://https.openbsd.org/cgi-bin/order
and for European orders, use http://https.openbsd.org/cgi-bin/order.eu

Changes since OpenSSH 4.6:
============================

Security bugs resolved in this release:

 * Prevent ssh(1) from using a trusted X11 cookie if creation of an
   untrusted cookie fails; found and fixed by Jan Pechanec.

Other changes, new functionality and fixes in this release:

 * sshd(8) in new installations defaults to SSH Protocol 2 only.
   Existing installations are unchanged.

 * The SSH channel window size has been increased, and both ssh(1)
   sshd(8) now send window updates more aggressively. These improves
   performance on high-BDP (Bandwidth Delay Product) networks.

 * ssh(1) and sshd(8) now preserve MAC contexts between packets, which
   saves 2 hash calls per packet and results in 12-16% speedup for
   arcfour256/hmac-md5.

 * A new MAC algorithm has been added, UMAC-64 (RFC4418) as
   "umac-64@openssh.com". UMAC-64 has been measured to be 
   approximately 20% faster than HMAC-MD5.

 * A -K flag was added to ssh(1) to set GSSAPIAuthentication=Yes

 * Failure to establish a ssh(1) TunnelForward is now treated as a
   fatal error when the ExitOnForwardFailure option is set.

 * ssh(1) returns a sensible exit status if the control master goes
   away without passing the full exit status. (bz #1261)

 * The following bugs have been fixed in this release:

   - When using a ProxyCommand in ssh(1), set the outgoing hostname with
     gethostname(2), allowing hostbased authentication to work (bz #616)
   - Make scp(1) skip FIFOs rather than hanging (bz #856)
   - Encode non-printing characters in scp(1) filenames.
     these could cause copies to be aborted with a "protocol error"
     (bz #891)
   - Handle SIGINT in sshd(8) privilege separation child process to
     ensure that wtmp and lastlog records are correctly updated
     (bz #1196)
   - Report GSSAPI mechanism in errors, for libraries that support
     multiple mechanisms (bz #1220)
   - Improve documentation for ssh-add(1)'s -d option (bz #1224)
   - Rearrange and tidy GSSAPI code, removing server-only code being
     linked into the client. (bz #1225)
   - Delay execution of ssh(1)'s LocalCommand until after all forwadings
     have been established. (bz #1232)
   - In scp(1), do not truncate non-regular files (bz #1236)
   - Improve exit message from ControlMaster clients. (bz #1262)
   - Prevent sftp-server(8) from reading until it runs out of buffer
     space, whereupon it would exit with a fatal error. (bz #1286)

 * Portable OpenSSH bugs fixed:

   - Fix multiple inclusion of paths.h on AIX 5.1 systems. (bz #1243)
   - Implement getpeereid for Solaris using getpeerucred. Solaris
     systems will now refuse ssh-agent(1) and ssh(1) ControlMaster
     clients from different, non-root users (bz #1287)
   - Fix compilation warnings by including string.h if found. (bz #1294)
   - Remove redefinition of _res in getrrsetbyname.c for platforms that
     already define it. (bz #1299)
   - Fix spurious "chan_read_failed for istate 3" errors from sshd(8),
     a side-effect of the "hang on exit" fix introduced in 4.6p1.
     (bz #1306)
   - pam_end() was not being called if authentication failed (bz #1322)
   - Fix SELinux support when SELinux is in permissive mode. Previously
     sshd(8) was treating SELinux errors as always fatal. (bz #1325)
   - Ensure that pam_setcred(..., PAM_ESTABLISH_CRED) is called before
     pam_setcred(..., PAM_REINITIALIZE_CRED), fixing pam_dhkeys.
     (bz #1339)
   - Fix privilege separation on QNX - pre-auth only, this platform does
     not support file descriptior passing needed for post-auth privilege
     separation. (bz #1343)

Thanks to everyone who has contributed patches, reported bugs and
tested releases.

Checksums:
==========

- SHA1 (openssh-4.7.tar.gz) = 9ebaab9b31e01bd0d04425dc23536bcc78f8d990
- SHA1 (openssh-4.7p1.tar.gz) = 58357db9e64ba6382bef3d73d1d386fcdc0508f4

Reporting Bugs:
===============

- please read http://www.openssh.com/report.html
  and http://bugzilla.mindrot.org/

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.

_______________________________________________
openssh-unix-announce mailing list
openssh-unix-announce@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-announce
Comment 1 SpanKY gentoo-dev 2007-09-05 04:06:06 UTC
openssh-4.7_p1 is in the tree now
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-06 09:19:22 UTC
thanks Mike.
Arches, please test and mark stable net-misc/openssh-4.7_p1.
Target keywords are: "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"
Comment 3 Andrej Kacian (RETIRED) gentoo-dev 2007-09-06 10:04:49 UTC
x86 done
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2007-09-06 10:38:18 UTC
alpha/ia64 stable
Comment 5 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-09-06 11:20:45 UTC
sparc stable
Comment 6 Chris Gianelloni (RETIRED) gentoo-dev 2007-09-07 00:42:20 UTC
amd64 done
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2007-09-07 04:16:28 UTC
Stable for HPPA.
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-07 14:51:58 UTC
ppc stable
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2007-09-08 08:07:32 UTC
net-misc/openssh-4.7_p1-r1 stable on ppc64
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-09-25 19:13:32 UTC
No supported arches left here, someone please please file a glsa request.

Setting A1 (local privilege escalation) because this requires user credentials on the machine.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-09-25 19:38:26 UTC
GLSA request filed.
Comment 12 Joshua Kinard gentoo-dev 2007-09-27 04:51:06 UTC
mips stable.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-25 19:37:38 UTC
Since it's not user privilege escalation it's not a 1.
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-01 23:31:50 UTC
GLSA 200711-02