|Summary:||net-misc/openssh <4.7 X11 cookie privelege escalation (CVE-2007-4752)|
|Product:||Gentoo Security||Reporter:||Rajiv Aaron Manglani (RETIRED) <rajiv>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Rajiv Aaron Manglani (RETIRED) 2007-09-05 03:18:25 UTC
From: firstname.lastname@example.org Subject: [openssh-unix-announce] Announce: OpenSSH 4.7 released Date: September 4, 2007 8:14:09 PM EDT To: email@example.com OpenSSH 4.7 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots and purchased T-shirts or posters. T-shirt, poster and CD sales directly support the project. Pictures and more information can be found at: http://www.openbsd.org/tshirts.html and http://www.openbsd.org/orders.html For international orders use http://https.openbsd.org/cgi-bin/order and for European orders, use http://https.openbsd.org/cgi-bin/order.eu Changes since OpenSSH 4.6: ============================ Security bugs resolved in this release: * Prevent ssh(1) from using a trusted X11 cookie if creation of an untrusted cookie fails; found and fixed by Jan Pechanec. Other changes, new functionality and fixes in this release: * sshd(8) in new installations defaults to SSH Protocol 2 only. Existing installations are unchanged. * The SSH channel window size has been increased, and both ssh(1) sshd(8) now send window updates more aggressively. These improves performance on high-BDP (Bandwidth Delay Product) networks. * ssh(1) and sshd(8) now preserve MAC contexts between packets, which saves 2 hash calls per packet and results in 12-16% speedup for arcfour256/hmac-md5. * A new MAC algorithm has been added, UMAC-64 (RFC4418) as "firstname.lastname@example.org". UMAC-64 has been measured to be approximately 20% faster than HMAC-MD5. * A -K flag was added to ssh(1) to set GSSAPIAuthentication=Yes * Failure to establish a ssh(1) TunnelForward is now treated as a fatal error when the ExitOnForwardFailure option is set. * ssh(1) returns a sensible exit status if the control master goes away without passing the full exit status. (bz #1261) * The following bugs have been fixed in this release: - When using a ProxyCommand in ssh(1), set the outgoing hostname with gethostname(2), allowing hostbased authentication to work (bz #616) - Make scp(1) skip FIFOs rather than hanging (bz #856) - Encode non-printing characters in scp(1) filenames. these could cause copies to be aborted with a "protocol error" (bz #891) - Handle SIGINT in sshd(8) privilege separation child process to ensure that wtmp and lastlog records are correctly updated (bz #1196) - Report GSSAPI mechanism in errors, for libraries that support multiple mechanisms (bz #1220) - Improve documentation for ssh-add(1)'s -d option (bz #1224) - Rearrange and tidy GSSAPI code, removing server-only code being linked into the client. (bz #1225) - Delay execution of ssh(1)'s LocalCommand until after all forwadings have been established. (bz #1232) - In scp(1), do not truncate non-regular files (bz #1236) - Improve exit message from ControlMaster clients. (bz #1262) - Prevent sftp-server(8) from reading until it runs out of buffer space, whereupon it would exit with a fatal error. (bz #1286) * Portable OpenSSH bugs fixed: - Fix multiple inclusion of paths.h on AIX 5.1 systems. (bz #1243) - Implement getpeereid for Solaris using getpeerucred. Solaris systems will now refuse ssh-agent(1) and ssh(1) ControlMaster clients from different, non-root users (bz #1287) - Fix compilation warnings by including string.h if found. (bz #1294) - Remove redefinition of _res in getrrsetbyname.c for platforms that already define it. (bz #1299) - Fix spurious "chan_read_failed for istate 3" errors from sshd(8), a side-effect of the "hang on exit" fix introduced in 4.6p1. (bz #1306) - pam_end() was not being called if authentication failed (bz #1322) - Fix SELinux support when SELinux is in permissive mode. Previously sshd(8) was treating SELinux errors as always fatal. (bz #1325) - Ensure that pam_setcred(..., PAM_ESTABLISH_CRED) is called before pam_setcred(..., PAM_REINITIALIZE_CRED), fixing pam_dhkeys. (bz #1339) - Fix privilege separation on QNX - pre-auth only, this platform does not support file descriptior passing needed for post-auth privilege separation. (bz #1343) Thanks to everyone who has contributed patches, reported bugs and tested releases. Checksums: ========== - SHA1 (openssh-4.7.tar.gz) = 9ebaab9b31e01bd0d04425dc23536bcc78f8d990 - SHA1 (openssh-4.7p1.tar.gz) = 58357db9e64ba6382bef3d73d1d386fcdc0508f4 Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom. _______________________________________________ openssh-unix-announce mailing list email@example.com https://lists.mindrot.org/mailman/listinfo/openssh-unix-announce
Comment 1 SpanKY 2007-09-05 04:06:06 UTC
openssh-4.7_p1 is in the tree now
Comment 2 Pierre-Yves Rofes (RETIRED) 2007-09-06 09:19:22 UTC
thanks Mike. Arches, please test and mark stable net-misc/openssh-4.7_p1. Target keywords are: "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"
Comment 3 Andrej Kacian (RETIRED) 2007-09-06 10:04:49 UTC
Comment 4 Raúl Porcel (RETIRED) 2007-09-06 10:38:18 UTC
Comment 5 Jose Luis Rivero (yoswink) (RETIRED) 2007-09-06 11:20:45 UTC
Comment 6 Chris Gianelloni (RETIRED) 2007-09-07 00:42:20 UTC
Comment 7 Jeroen Roovers (RETIRED) 2007-09-07 04:16:28 UTC
Stable for HPPA.
Comment 8 Tobias Scherbaum (RETIRED) 2007-09-07 14:51:58 UTC
Comment 9 Markus Rothe (RETIRED) 2007-09-08 08:07:32 UTC
net-misc/openssh-4.7_p1-r1 stable on ppc64
Comment 10 Robert Buchholz (RETIRED) 2007-09-25 19:13:32 UTC
No supported arches left here, someone please please file a glsa request. Setting A1 (local privilege escalation) because this requires user credentials on the machine.
Comment 11 Sune Kloppenborg Jeppesen 2007-09-25 19:38:26 UTC
GLSA request filed.
Comment 12 Joshua Kinard 2007-09-27 04:51:06 UTC
Comment 13 Sune Kloppenborg Jeppesen 2007-10-25 19:37:38 UTC
Since it's not user privilege escalation it's not a 1.
Comment 14 Pierre-Yves Rofes (RETIRED) 2007-11-01 23:31:50 UTC