Summary: | net-misc/openssh: security fixes in 4.4 | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | David Danier <golk> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bernd, chainsaw, lcars |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openssh.com/txt/release-4.4 | ||
Whiteboard: | C1? [glsa] vorlon | ||
Package list: | Runtime testing required: | --- |
Description
David Danier
2006-09-29 03:31:28 UTC
*** Bug 149503 has been marked as a duplicate of this bug. *** the last two vulnerabilities are not covered in the latest glsa since 4.4 is still missing x509 and smartcard support (lcars is working on ldap), we should get the older version patched for the new vulnerabilities rating C1, but I am pretty unsure, since code execution is said to be possible, but _highly_ unlikely I just committed 4.4p1-r1 with ldap support (a new patch has been created). Please don't unmask until I say the final word ;). In the meantime testing is much appreciated. any news here? (x509/smartcard/...?) news? openssh-4.4_p1-r4 has all updates but smartcard openssh-4.4_p1-r5 has everything if you feel like pushing it arches, please test openssh-4.4_p1-r5 and mark stable if possible I'm hitting the issue on bug #151527, patch doesn't apply clean when both X509 and hpn are USEd. Stable for HPPA. Stable on x86 emerges fine and works on amd64. emerge --info Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.18-suspend2-Dudebox-Edition x86_64) ================================================================= System uname: 2.6.18-suspend2-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+ Gentoo Base System version 1.12.5 Last Sync: Tue, 31 Oct 2006 04:50:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -msse3 -Os -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -msse3 -Os -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig buildpkg ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" LDFLAGS="-Wl,-O1" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage_overlay" SYNC="rsync://server/gentoo-portage" USE="amd64 X alsa apache2 berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd fam firefox fortran gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv imap input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdeenablefinal kdehiddenvisibility kernel_linux libg++ mad mikmod mp3 mpeg mysql ncurses nls nptl nptlonly objc objc++ ogg oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl sqlite ssl tcpd test truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_radeon vorbis xml xorg xv zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS amd64 done. Thanks Michael. I think users that were using USE="sftplogging" with older versions of OpenSSH should be informed that SFTP logging has been incorporated into upstream OpenSSH and that this USE flag is therefore gone. (In reply to comment #9) > I'm hitting the issue on bug #151527, patch doesn't apply clean when both X509 > and hpn are USEd. Same here -- see https://bugs.gentoo.org/show_bug.cgi?id=151527#c19 :( I'm confused, an issue was brought up (a combination of USE flags causing a patch application to fail) and it was marked stable anyways? Shouldn't this go back to ebuild status until the issue is fixed? Yes, it should. Unfortunately some arch security teams don't read the bug before stabling. Thanks SpanKY. sparc stable. ppc stable WTF?! :( (In reply to comment #20) > WTF?! :( Nevermind -- I didn't look at https://bugs.gentoo.org/show_bug.cgi?id=151527#c21 :) Alpha done. Security team do you agree with sending a GLSA ? (Although the exploitation for code exec seems really really hard) I tend to see ssh DoS as one of the more important (heh) forms of DoS ... so that's a YES .-) marked ppc64 stable agreed, we should publish a GLSA (given the importance of openssh) Marked 4.4_p1-r6 stable on mips GLSA 200611-06, thanks everybody |