Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 505066 (CVE-2014-2532)

Summary: <net-misc/openssh-6.6_p1-r1 : AcceptEnv environment restriction bypass flaw (CVE-2014-2532)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: base-system, randy
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1077843
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-03-19 08:32:42 UTC 
From ${URL} :

Common Vulnerabilities and Exposures assigned an identifier CVE-2014-2532 to
the following vulnerability:

Name: CVE-2014-2532
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2532
Assigned: 20140317
Reference: http://marc.info/?l=openbsd-security-announce&m=139492048027313&w=2

sshd in OpenSSH before 6.6 does not properly support wildcards on
AcceptEnv lines in sshd_config, which allows remote attackers to
bypass intended environment restrictions by using a substring located
before a wildcard character.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2014-03-20 05:54:57 UTC 
openssh-6.6_p1 is in the tree.  probably is safe for stabilization after 6.4_p1.
Comment 2 Agostino Sarubbo gentoo-dev 2014-03-20 13:40:47 UTC 
Arches, please test and mark stable:                                                                                                           
=net-misc/openssh-6.6_p1                                                                                                                       
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2014-03-20 18:17:42 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-03-20 18:17:49 UTC 
x86 stable
Comment 5 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-03-20 20:43:01 UTC 
+*openssh-6.6_p1-r1 (20 Mar 2014)
+
+  20 Mar 2014; Lars Wendler <polynomial-c@gentoo.org> -openssh-6.6_p1.ebuild,
+  +openssh-6.6_p1-r1.ebuild:
+  Fixed hpn patch to not add a false patch level to ssh's version string
+  (6.6p2). Committed straight to stable where -r0 was stable.
+

Arches please continue stabilization of =net-misc/openssh-6.6_p1-r1
Comment 6 SpanKY gentoo-dev 2014-03-20 20:58:27 UTC 
ia64 done
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2014-03-22 14:46:37 UTC 
Stable for HPPA.
Comment 8 Markus Meier gentoo-dev 2014-03-22 21:36:26 UTC 
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-03-23 09:32:40 UTC 
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-03-23 09:32:47 UTC 
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-03-23 09:35:23 UTC 
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-03-23 09:54:23 UTC 
alpha stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Agostino Sarubbo gentoo-dev 2014-03-23 09:56:23 UTC 
Cleanup done.
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-03-23 12:04:10 UTC 
Added to existing glsa draft.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-03-23 12:04:52 UTC 
CVE-2014-2532 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2532):
  sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv
  lines in sshd_config, which allows remote attackers to bypass intended
  environment restrictions by using a substring located before a wildcard
  character.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2014-05-11 13:56:41 UTC 
This issue was resolved and addressed in
 GLSA 201405-06 at http://security.gentoo.org/glsa/glsa-201405-06.xml
by GLSA coordinator Mikle Kolyada (Zlogene).