See http://www.openssh.com/txt/release-4.4 for details.
Security bugs resolved in this release:
* Fix a pre-authentication denial of service found by Tavis Ormandy,
that would cause sshd(8) to spin until the login grace time
* Fix an unsafe signal hander reported by Mark Dowd. The signal
handler was vulnerable to a race condition that could be exploited
to perform a pre-authentication denial of service. On portable
OpenSSH, this vulnerability could theoretically lead to
pre-authentication remote code execution if GSSAPI authentication
is enabled, but the likelihood of successful exploitation appears
* On portable OpenSSH, fix a GSSAPI authentication abort that could
be used to determine the validity of usernames on some platforms.
*** Bug 149503 has been marked as a duplicate of this bug. ***
the last two vulnerabilities are not covered in the latest glsa
since 4.4 is still missing x509 and smartcard support (lcars is working on ldap), we should get the older version patched for the new vulnerabilities
rating C1, but I am pretty unsure, since code execution is said to be possible, but _highly_ unlikely
I just committed 4.4p1-r1 with ldap support (a new patch has been created). Please don't unmask until I say the final word ;). In the meantime testing is much appreciated.
any news here? (x509/smartcard/...?)
openssh-4.4_p1-r4 has all updates but smartcard
openssh-4.4_p1-r5 has everything if you feel like pushing it
arches, please test openssh-4.4_p1-r5 and mark stable if possible
I'm hitting the issue on bug #151527, patch doesn't apply clean when both X509 and hpn are USEd.
Stable for HPPA.
Stable on x86
emerges fine and works on amd64.
Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.18-suspend2-Dudebox-Edition x86_64)
System uname: 2.6.18-suspend2-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+
Gentoo Base System version 1.12.5
Last Sync: Tue, 31 Oct 2006 04:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-util/confcache: [Not Present]
sys-devel/autoconf: 2.13, 2.59-r7
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
CFLAGS="-march=k8 -msse3 -Os -pipe"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -msse3 -Os -pipe"
FEATURES="autoconfig buildpkg ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
USE="amd64 X alsa apache2 berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd fam firefox fortran gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv imap input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdeenablefinal kdehiddenvisibility kernel_linux libg++ mad mikmod mp3 mpeg mysql ncurses nls nptl nptlonly objc objc++ ogg oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl sqlite ssl tcpd test truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_radeon vorbis xml xorg xv zlib"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
amd64 done. Thanks Michael.
I think users that were using USE="sftplogging" with older versions of OpenSSH should be informed that SFTP logging has been incorporated into upstream OpenSSH and that this USE flag is therefore gone.
(In reply to comment #9)
> I'm hitting the issue on bug #151527, patch doesn't apply clean when both X509
> and hpn are USEd.
Same here -- see https://bugs.gentoo.org/show_bug.cgi?id=151527#c19 :(
I'm confused, an issue was brought up (a combination of USE flags causing a patch application to fail) and it was marked stable anyways? Shouldn't this go back to ebuild status until the issue is fixed?
Yes, it should. Unfortunately some arch security teams don't read the bug before stabling.
(In reply to comment #20)
> WTF?! :(
Nevermind -- I didn't look at https://bugs.gentoo.org/show_bug.cgi?id=151527#c21 :)
Security team do you agree with sending a GLSA ? (Although the exploitation for code exec seems really really hard)
I tend to see ssh DoS as one of the more important (heh) forms of DoS ... so that's a YES .-)
marked ppc64 stable
agreed, we should publish a GLSA (given the importance of openssh)
Marked 4.4_p1-r6 stable on mips
GLSA 200611-06, thanks everybody