From ${URL} : Common Vulnerabilities and Exposures assigned an identifier CVE-2014-2532 to the following vulnerability: Name: CVE-2014-2532 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2532 Assigned: 20140317 Reference: http://marc.info/?l=openbsd-security-announce&m=139492048027313&w=2 sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
openssh-6.6_p1 is in the tree. probably is safe for stabilization after 6.4_p1.
Arches, please test and mark stable: =net-misc/openssh-6.6_p1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
amd64 stable
x86 stable
+*openssh-6.6_p1-r1 (20 Mar 2014) + + 20 Mar 2014; Lars Wendler <polynomial-c@gentoo.org> -openssh-6.6_p1.ebuild, + +openssh-6.6_p1-r1.ebuild: + Fixed hpn patch to not add a false patch level to ssh's version string + (6.6p2). Committed straight to stable where -r0 was stable. + Arches please continue stabilization of =net-misc/openssh-6.6_p1-r1
ia64 done
Stable for HPPA.
arm stable
ppc stable
ppc64 stable
sparc stable
alpha stable. Maintainer(s), please cleanup. Security, please vote.
Cleanup done.
Added to existing glsa draft.
CVE-2014-2532 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2532): sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.
This issue was resolved and addressed in GLSA 201405-06 at http://security.gentoo.org/glsa/glsa-201405-06.xml by GLSA coordinator Mikle Kolyada (Zlogene).