Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 149502 - net-misc/openssh: security fixes in 4.4
Summary: net-misc/openssh: security fixes in 4.4
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: C1? [glsa] vorlon
: 149503 (view as bug list)
Depends on:
Reported: 2006-09-29 03:31 UTC by David Danier
Modified: 2006-11-13 15:20 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description David Danier 2006-09-29 03:31:28 UTC
See for details.

Security bugs resolved in this release:

 * Fix a pre-authentication denial of service found by Tavis Ormandy,
   that would cause sshd(8) to spin until the login grace time

 * Fix an unsafe signal hander reported by Mark Dowd. The signal
   handler was vulnerable to a race condition that could be exploited
   to perform a pre-authentication denial of service. On portable
   OpenSSH, this vulnerability could theoretically lead to
   pre-authentication remote code execution if GSSAPI authentication
   is enabled, but the likelihood of successful exploitation appears

 * On portable OpenSSH, fix a GSSAPI authentication abort that could
   be used to determine the validity of usernames on some platforms.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2006-09-29 03:51:05 UTC
*** Bug 149503 has been marked as a duplicate of this bug. ***
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2006-09-29 04:00:51 UTC
the last two vulnerabilities are not covered in the latest glsa

since 4.4 is still missing x509 and smartcard support (lcars is working on ldap), we should get the older version patched for the new vulnerabilities

rating C1, but I am pretty unsure, since code execution is said to be possible, but _highly_ unlikely

Comment 3 Andrea Barisani (RETIRED) gentoo-dev 2006-09-29 10:18:01 UTC
I just committed 4.4p1-r1 with ldap support (a new patch has been created). Please don't unmask until I say the final word ;). In the meantime testing is much appreciated.
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-15 12:18:59 UTC
any news here? (x509/smartcard/...?)
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-19 06:19:27 UTC
Comment 6 SpanKY gentoo-dev 2006-10-19 08:32:33 UTC
openssh-4.4_p1-r4 has all updates but smartcard
Comment 7 SpanKY gentoo-dev 2006-10-31 01:19:45 UTC
openssh-4.4_p1-r5 has everything if you feel like pushing it
Comment 8 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-31 01:57:30 UTC
arches, please test openssh-4.4_p1-r5 and mark stable if possible

Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev 2006-10-31 04:46:43 UTC
I'm hitting the issue on bug #151527, patch doesn't apply clean when both X509 and hpn are USEd.
Comment 10 Jeroen Roovers gentoo-dev 2006-10-31 05:07:37 UTC
Stable for HPPA.
Comment 11 Andrej Kacian (RETIRED) gentoo-dev 2006-10-31 08:43:08 UTC
Stable on x86
Comment 12 Michael Weyershäuser 2006-10-31 11:29:52 UTC
emerges fine and works on amd64.

emerge --info
Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.18-suspend2-Dudebox-Edition x86_64)
System uname: 2.6.18-suspend2-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+
Gentoo Base System version 1.12.5
Last Sync: Tue, 31 Oct 2006 04:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
CFLAGS="-march=k8 -msse3 -Os -pipe"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -msse3 -Os -pipe"
FEATURES="autoconfig buildpkg ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
USE="amd64 X alsa apache2 berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd fam firefox fortran gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv imap input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdeenablefinal kdehiddenvisibility kernel_linux libg++ mad mikmod mp3 mpeg mysql ncurses nls nptl nptlonly objc objc++ ogg oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl sqlite ssl tcpd test truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_radeon vorbis xml xorg xv zlib"
Comment 13 Danny van Dyk (RETIRED) gentoo-dev 2006-10-31 11:46:38 UTC
amd64 done. Thanks Michael.
Comment 14 Wolfram Schlich (RETIRED) gentoo-dev 2006-10-31 15:24:35 UTC
I think users that were using USE="sftplogging" with older versions of OpenSSH should be informed that SFTP logging has been incorporated into upstream OpenSSH and that this USE flag is therefore gone.
Comment 15 Wolfram Schlich (RETIRED) gentoo-dev 2006-10-31 15:42:08 UTC
(In reply to comment #9)
> I'm hitting the issue on bug #151527, patch doesn't apply clean when both X509
> and hpn are USEd.

Same here -- see :(
Comment 16 Chris White (RETIRED) gentoo-dev 2006-10-31 16:22:39 UTC
I'm confused, an issue was brought up (a combination of USE flags causing a patch application to fail) and it was marked stable anyways?  Shouldn't this go back to ebuild status until the issue is fixed?
Comment 17 Ciaran McCreesh 2006-10-31 16:27:30 UTC
Yes, it should. Unfortunately some arch security teams don't read the bug before stabling.
Comment 18 Gustavo Zacarias (RETIRED) gentoo-dev 2006-11-01 05:32:07 UTC
Thanks SpanKY.
sparc stable.
Comment 19 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-01 06:40:18 UTC
ppc stable
Comment 20 Wolfram Schlich (RETIRED) gentoo-dev 2006-11-01 08:37:35 UTC
WTF?! :(
Comment 21 Wolfram Schlich (RETIRED) gentoo-dev 2006-11-01 08:39:05 UTC
(In reply to comment #20)
> WTF?! :(

Nevermind -- I didn't look at :)
Comment 22 Fernando J. Pereda (RETIRED) gentoo-dev 2006-11-03 00:39:16 UTC
Alpha done.
Comment 23 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-03 05:27:54 UTC
Security team do you agree with sending a GLSA ? (Although the exploitation for code exec seems really really hard)
Comment 24 Wolf Giesen (RETIRED) gentoo-dev 2006-11-03 07:41:09 UTC
I tend to see ssh DoS as one of the more important (heh) forms of DoS ... so that's a YES .-)
Comment 25 Brent Baude (RETIRED) gentoo-dev 2006-11-04 19:50:18 UTC
marked ppc64 stable
Comment 26 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-05 16:02:58 UTC
agreed, we should publish a GLSA (given the importance of openssh)
Comment 27 Ilya Volynets (RETIRED) gentoo-dev 2006-11-08 15:17:23 UTC
Marked 4.4_p1-r6 stable on mips
Comment 28 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-13 15:20:51 UTC
GLSA 200611-06, thanks everybody