Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 553724 (CVE-2015-5352)

Summary: <net-misc/openssh-6.9_p1-r2: two security issues (CVE-2015-5352)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system, chutzpah
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2015/07/01/7
See Also: https://bugs.gentoo.org/show_bug.cgi?id=555316
Whiteboard: A3 [glsa cve cleanup]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-07-01 12:39:01 UTC
From ${URL} :

The openSSH 6.9 release contains the following changes declared as
security issues:

http://www.openssh.com/txt/release-6.9

> Security
> --------
>
>  * ssh(1): when forwarding X11 connections with ForwardX11Trusted=no,
>    connections made after ForwardX11Timeout expired could be permitted
>    and no longer subject to XSECURITY restrictions because of an
>    ineffective timeout check in ssh(1) coupled with "fail open"
>    behaviour in the X11 server when clients attempted connections with
>    expired credentials. This problem was reported by Jann Horn.

In the portable releases, this is 
https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=1bf477d3cdf1a864646d59820878783d42357a1d

>  * ssh-agent(1): fix weakness of agent locking (ssh-add -x) to
>    password guessing by implementing an increasing failure delay,
>    storing a salted hash of the password rather than the password
>    itself and using a timing-safe comparison function for verifying
>    unlock attempts. This problem was reported by Ryan Castellucci.

In the portable releases, this is
https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=9173d0fbe44de7ebcad8a15618e13a8b8d78902e



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-07-01 20:55:40 UTC
+*openssh-6.9_p1 (01 Jul 2015)
+
+  01 Jul 2015; Lars Wendler <polynomial-c@gentoo.org>
+  -openssh-6.7_p1-r3.ebuild, -openssh-6.8_p1.ebuild, -openssh-6.8_p1-r1.ebuild,
+  -openssh-6.8_p1-r2.ebuild, -openssh-6.8_p1-r3.ebuild,
+  -openssh-6.8_p1-r4.ebuild, +openssh-6.9_p1.ebuild:
+  Security bump (bug #553724). Removed old.
+

There's yet no x509 patch available for openssh-6.9_p1 so -r0 should not go stable.
Comment 2 Patrick McLean gentoo-dev 2015-07-01 22:54:00 UTC
openssh-6.9_p1-r1 added to the tree with the X509 patch
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-06 16:57:31 UTC
is it ok to go stable?
Comment 4 SpanKY gentoo-dev 2015-07-08 08:22:51 UTC
(In reply to Mikle Kolyada from comment #3)

i'm going to add a -r2 with an update hpn patchset.  there's some things in there i want to remove (like the server logging).
Comment 5 SpanKY gentoo-dev 2015-07-08 09:10:35 UTC
i've added 6.9p1-r2 to the tree now.  give it a few days to bake and then move forward w/stabilizing.
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-18 13:51:29 UTC
Ping for stabilization, works fine on my boxes.
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-18 14:54:52 UTC
amd64 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2015-07-19 07:23:32 UTC
Stable for PPC64.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2015-07-19 08:09:37 UTC
Stable for HPPA.
Comment 10 Markus Meier gentoo-dev 2015-07-19 18:33:36 UTC
arm stable
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2015-07-20 15:45:31 UTC
Stable on alpha.
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-22 17:48:43 UTC
x86 stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-07-23 09:03:20 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-07-23 09:39:34 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2015-08-10 13:45:56 UTC
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2015-10-10 02:51:09 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2015-12-21 14:23:32 UTC
This issue was resolved and addressed in
 GLSA 201512-04 at https://security.gentoo.org/glsa/201512-04
by GLSA coordinator Yury German (BlueKnight).
Comment 18 Yury German Gentoo Infrastructure gentoo-dev 2015-12-21 14:24:31 UTC
Re-opening for cleanup.
Maintainer(s), please drop the vulnerable version(s).
Comment 19 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 08:21:58 UTC
Arches and Maintainer(s), Thank you for your work.