Summary: | <net-misc/openssh-7.2_p2: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | base-system, bertrand, chutzpah, gentoo |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2016/03/10/8 | ||
Whiteboard: | A2 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 593238 |
Description
Agostino Sarubbo
2016-03-10 13:32:57 UTC
now in the tree. don't know of any reason to not stabilize. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6cd19cc42eac1e72dff6585b9c83bce69048df6 Arches, please test and mark stable: =net-misc/openssh-7.2_p2 Target keywords : "alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CVE-2016-1908: It should be noted, that the new openSSH 7.2p2 also includes the fix for CVE-2016-1908 as it had been assigned here: http://seclists.org/oss-sec/2016/q1/115 * SECURITY: Eliminate the fallback from untrusted X11-forwarding to trusted forwarding for cases when the X server disables the SECURITY extension. Reported by Thomas Hoger. The associated commit ( https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c) did not make it into the last release as per last-minute decision (see: http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034684.html ) amd64 stable Stable for HPPA PPC64. x86 stable Stable on alpha. ppc stable arm stable Don't know if this is the right place or a new bug would be better but net-misc/openssh-7.2_p2 failes to compile when USE=hpn is set. * Messages for package net-misc/openssh-7.2_p2: * Package: net-misc/openssh-7.2_p2 * Repository: gentoo * Maintainer: base-system@gentoo.org robbat2@gentoo.org * USE: X abi_x86_64 amd64 elibc_glibc hpn kernel_linux pam pie ssl userland_GNU * FEATURES: preserve-libs sandbox splitdebug userpriv usersandbox * Sorry, but this version does not yet support features * that you requested: hpn * Please mask openssh-7.2_p2 for now and check back later: * # echo '=net-misc/openssh-7.2_p2' >> /etc/portage/package.mask * ERROR: net-misc/openssh-7.2_p2::gentoo failed (setup phase): * booooo * * Call stack: * ebuild.sh, line 133: Called pkg_setup * openssh-7.2_p2.ebuild, line 90: Called die * The specific snippet of code: * die "booooo" Regarding the previous comment: It probably would be better to advise the user to disable the USE flag instead of masking this version as it is a matter of security… we don't block stable for hpn. it'll come back when the update is stable. i've done the remaining arches Arches and Maintainer(s), Thank you for your work. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s) - 7.1_p2-r1 This issue was resolved and addressed in GLSA 201612-18 at https://security.gentoo.org/glsa/201612-18 by GLSA coordinator Aaron Bauman (b-man). |