Bug 557340

Summary:	<net-misc/openssh-7.0_p1: Multiple Vulnerabilities
Product:	Gentoo Security	Reporter:	Hanno Böck <hanno>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	base-system, chutzpah
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A1 [glsa]
Package list:		Runtime testing required:	---
Bug Depends on:	571892
Bug Blocks:

Description Hanno Böck gentoo-dev

2015-08-12 03:23:13 UTC

See below found security fixes mentioned in the changelog of openssh 7.0.0 For the fourth one it can be argued that it is only security hardening, not a real vuln. The other ones sound serious enough to deserve a fast security bump.

 * sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-
   writable. Local attackers may be able to write arbitrary messages
   to logged-in users, including terminal escape sequences.
   Reported by Nikolay Edigaryev.

 * sshd(8): Portable OpenSSH only: Fixed a privilege separation
   weakness related to PAM support. Attackers who could successfully
   compromise the pre-authentication process for remote code
   execution and who had valid credentials on the host could
   impersonate other users.  Reported by Moritz Jodeit.

 * sshd(8): Portable OpenSSH only: Fixed a use-after-free bug
   related to PAM support that was reachable by attackers who could
   compromise the pre-authentication process for remote code
   execution. Also reported by Moritz Jodeit.

 * sshd(8): fix circumvention of MaxAuthTries using keyboard-
   interactive authentication. By specifying a long, repeating
   keyboard-interactive "devices" string, an attacker could request
   the same authentication method be tried thousands of times in
   a single pass. The LoginGraceTime timeout in sshd(8) and any
   authentication failure delays implemented by the authentication
   mechanism itself were still applied. Found by Kingcope.

Comment 1 SpanKY gentoo-dev

2015-08-12 06:11:31 UTC

the 4th one is already tracked in bug 555518

Comment 2 SpanKY gentoo-dev

2015-08-12 08:09:57 UTC

it's in the tree now, but lacks USE=X509 support.  upstream is usually pretty fast there so we can wait a little bit (should anyways to let it bake a bit).

http://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b94b01110ca2fb427c039751c0b43cdc8dfd7bb6

Comment 3 Patrick McLean gentoo-dev

2015-08-13 00:08:26 UTC

I have added USE=X509 support to the ebuild in the tree (didn't bother with a revbump since it's hard masked at the moment).

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=019ed27f297c44d1a851545975353fc99fe6ab05

Comment 4 Agostino Sarubbo gentoo-dev

2015-08-13 10:00:12 UTC

FTR,

The commit which fixes the issue n°2 is:
https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab7255c60433e4dd23cf7fce8a8b


The commit which fixes the issue n°3 is:
https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7

Comment 5 Yury German Gentoo Infrastructure

2015-08-15 15:44:23 UTC

Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.

Comment 6 Yury German Gentoo Infrastructure

2015-11-03 14:25:07 UTC

Ping on call for stabilization.

Comment 7 SpanKY gentoo-dev

2015-11-03 16:02:10 UTC

we already have bug 555518 to track newer stable

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2015-12-21 14:23:48 UTC

This issue was resolved and addressed in
 GLSA 201512-04 at https://security.gentoo.org/glsa/201512-04
by GLSA coordinator Yury German (BlueKnight).

Comment 9 Yury German Gentoo Infrastructure

2015-12-21 14:25:36 UTC

Re-Opening for Cleanup
Maintainer(s), please drop the vulnerable version(s).

Comment 10 Yury German Gentoo Infrastructure

2016-01-26 02:25:39 UTC

Cleanup as part of Bug #571892, setting dependency.

Comment 11 Yury German Gentoo Infrastructure

2016-04-04 20:34:03 UTC

Maintainer(s), Thank you for your work.