Summary: | <net-misc/openssh-6.6_p1-r1 : AcceptEnv environment restriction bypass flaw (CVE-2014-2532) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | base-system, randy |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1077843 | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-03-19 08:32:42 UTC
openssh-6.6_p1 is in the tree. probably is safe for stabilization after 6.4_p1. Arches, please test and mark stable: =net-misc/openssh-6.6_p1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" amd64 stable x86 stable +*openssh-6.6_p1-r1 (20 Mar 2014) + + 20 Mar 2014; Lars Wendler <polynomial-c@gentoo.org> -openssh-6.6_p1.ebuild, + +openssh-6.6_p1-r1.ebuild: + Fixed hpn patch to not add a false patch level to ssh's version string + (6.6p2). Committed straight to stable where -r0 was stable. + Arches please continue stabilization of =net-misc/openssh-6.6_p1-r1 ia64 done Stable for HPPA. arm stable ppc stable ppc64 stable sparc stable alpha stable. Maintainer(s), please cleanup. Security, please vote. Cleanup done. Added to existing glsa draft. CVE-2014-2532 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2532): sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. This issue was resolved and addressed in GLSA 201405-06 at http://security.gentoo.org/glsa/glsa-201405-06.xml by GLSA coordinator Mikle Kolyada (Zlogene). |