Summary: | <net-misc/openssh-6.7_p1: openssh client does not check SSHFP if server offers certificate (CVE-2014-2653) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | base-system |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/03/26/7 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=529436 | ||
Whiteboard: | A4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 524662 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2014-03-27 09:25:10 UTC
@maintainers: Debian seems to have a patch for this at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513#20 . Something of interest? looks like upstream has addressed it in the 6.7_p1 release: https://github.com/openssh/openssh-portable/commit/7d6a9fb660c808882d064e152d6070ffc3844c3f Maintainer(s): Please let us know when the ebuild is ready for stabilization, or call for stabilization. Acked by radhermit Yes, there we go again. Please specify a target to stabilise. With a list of architectures that should go stable. We've been through this. Arches, please test and mark stable: =net-misc/openssh-6.7_p1 target KEYWORDS="alpha amd64 arm hppa ia64 ppc64 ppc sparc x86" Stable for HPPA. amd64 stable x86 stable arm stable sparc stable alpha stable ppc stable ppc64 stable ia64 stable. Maintainer(s), please cleanup. Security, please vote. Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). GLSA Vote: No GLSA Vote: No @Maintainers: Please close the bug when cleanup is done. Security is done. CVE-2014-2653 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2653): The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate. Maintainer(s), please drop the vulnerable version(s). It has been some time and there are still vulnerable versions in tree. + 31 Jan 2015; Lars Wendler <polynomial-c@gentoo.org> + -openssh-6.6_p1-r1.ebuild, -openssh-6.6.1_p1-r4.ebuild, + -openssh-6.7_p1-r1.ebuild, -openssh-6.7_p1-r2.ebuild, + -files/openssh-5.9_p1-sshd-gssapi-multihomed.patch, + -files/openssh-6.3_p1-x509-glue.patch, + -files/openssh-6.5_p1-hpn-cipher-align.patch, + -files/openssh-6.6_p1-openssl-ignore-status.patch, + -files/openssh-6.6.1_p1.patch, -files/openssh-6.6_p1-x509-glue.patch, + -files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch: + Removed old (and vulnerable) versions. + Maintainer(s), Thank you for cleanup! Closing noglsa. |