From ${URL} : A vulnerability in OpenSSH's ssh client has been reported in Debian's BTS: https://bugs.debian.org/742513 If the ssh server offers a HostCertificate that the ssh client doesn't accept, then the client doesn't then check the DNS for SSHFP records. This is a security problem because it means that a malicious server can disable SSHFP- checking by presenting a certificate. Note that users are still presented the well-known "host verification prompt". Given the prompt will and the still rather peripheral reliance on SSHFP, we consider this an issue of low severity. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
@maintainers: Debian seems to have a patch for this at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513#20 . Something of interest?
looks like upstream has addressed it in the 6.7_p1 release: https://github.com/openssh/openssh-portable/commit/7d6a9fb660c808882d064e152d6070ffc3844c3f
Maintainer(s): Please let us know when the ebuild is ready for stabilization, or call for stabilization.
Acked by radhermit
Yes, there we go again. Please specify a target to stabilise. With a list of architectures that should go stable. We've been through this.
Arches, please test and mark stable: =net-misc/openssh-6.7_p1 target KEYWORDS="alpha amd64 arm hppa ia64 ppc64 ppc sparc x86"
Stable for HPPA.
amd64 stable
x86 stable
arm stable
sparc stable
alpha stable
ppc stable
ppc64 stable
ia64 stable. Maintainer(s), please cleanup. Security, please vote.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). GLSA Vote: No
GLSA Vote: No @Maintainers: Please close the bug when cleanup is done. Security is done.
CVE-2014-2653 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2653): The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.
Maintainer(s), please drop the vulnerable version(s). It has been some time and there are still vulnerable versions in tree.
+ 31 Jan 2015; Lars Wendler <polynomial-c@gentoo.org> + -openssh-6.6_p1-r1.ebuild, -openssh-6.6.1_p1-r4.ebuild, + -openssh-6.7_p1-r1.ebuild, -openssh-6.7_p1-r2.ebuild, + -files/openssh-5.9_p1-sshd-gssapi-multihomed.patch, + -files/openssh-6.3_p1-x509-glue.patch, + -files/openssh-6.5_p1-hpn-cipher-align.patch, + -files/openssh-6.6_p1-openssl-ignore-status.patch, + -files/openssh-6.6.1_p1.patch, -files/openssh-6.6_p1-x509-glue.patch, + -files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch: + Removed old (and vulnerable) versions. +
Maintainer(s), Thank you for cleanup! Closing noglsa.