Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 505942 (CVE-2014-2653) - <net-misc/openssh-6.7_p1: openssh client does not check SSHFP if server offers certificate (CVE-2014-2653)
Summary: <net-misc/openssh-6.7_p1: openssh client does not check SSHFP if server offer...
Status: RESOLVED FIXED
Alias: CVE-2014-2653
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A4 [noglsa]
Keywords:
Depends on: 524662
Blocks:
  Show dependency tree
 
Reported: 2014-03-27 09:25 UTC by Agostino Sarubbo
Modified: 2015-02-01 01:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-27 09:25:10 UTC 
From ${URL} :

A vulnerability in OpenSSH's ssh client has been reported in Debian's BTS:
https://bugs.debian.org/742513

If the ssh server offers a HostCertificate that the ssh client doesn't accept, 
then the client doesn't then check the DNS for SSHFP records. This is a 
security problem because it means that a malicious server can disable SSHFP-
checking by presenting a certificate. Note that users are still presented the 
well-known "host verification prompt".

Given the prompt will and the still rather peripheral reliance on SSHFP, we 
consider this an issue of low severity.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-17 22:49:07 UTC 
@maintainers: Debian seems to have a patch for this at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513#20 . Something of interest?
Comment 2 SpanKY gentoo-dev 2014-11-15 20:04:44 UTC 
looks like upstream has addressed it in the 6.7_p1 release:
https://github.com/openssh/openssh-portable/commit/7d6a9fb660c808882d064e152d6070ffc3844c3f
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-11-23 14:29:17 UTC 
Maintainer(s): Please let us know when the ebuild is ready for  stabilization, or call for stabilization.
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-11-23 15:10:05 UTC 
Acked by radhermit
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2014-11-23 21:18:40 UTC 
Yes, there we go again. Please specify a target to stabilise. With a list of architectures that should go stable. We've been through this.
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-11-23 21:21:08 UTC 
Arches, please test and mark stable:

=net-misc/openssh-6.7_p1

target KEYWORDS="alpha amd64 arm hppa ia64 ppc64 ppc sparc x86"
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2014-11-24 11:29:56 UTC 
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2014-11-29 13:23:48 UTC 
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-11-29 13:24:17 UTC 
x86 stable
Comment 10 Markus Meier gentoo-dev 2014-11-29 19:45:56 UTC 
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-12-01 09:17:41 UTC 
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-12-02 11:58:04 UTC 
alpha stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-12-03 09:58:51 UTC 
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-12-04 08:27:54 UTC 
ppc64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2014-12-06 16:48:27 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2014-12-07 18:55:16 UTC 
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).

GLSA Vote: No
Comment 17 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-10 22:52:48 UTC 
GLSA Vote: No

@Maintainers: Please close the bug when cleanup is done. Security is done.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2014-12-28 23:58:18 UTC 
CVE-2014-2653 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2653):
  The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6
  and earlier allows remote servers to trigger the skipping of SSHFP DNS RR
  checking by presenting an unacceptable HostCertificate.
Comment 19 Yury German Gentoo Infrastructure gentoo-dev 2015-01-28 22:34:03 UTC 
Maintainer(s), please drop the vulnerable version(s). It has been some time and there are still vulnerable versions in tree.
Comment 20 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-01-31 18:05:29 UTC 
+  31 Jan 2015; Lars Wendler <polynomial-c@gentoo.org>
+  -openssh-6.6_p1-r1.ebuild, -openssh-6.6.1_p1-r4.ebuild,
+  -openssh-6.7_p1-r1.ebuild, -openssh-6.7_p1-r2.ebuild,
+  -files/openssh-5.9_p1-sshd-gssapi-multihomed.patch,
+  -files/openssh-6.3_p1-x509-glue.patch,
+  -files/openssh-6.5_p1-hpn-cipher-align.patch,
+  -files/openssh-6.6_p1-openssl-ignore-status.patch,
+  -files/openssh-6.6.1_p1.patch, -files/openssh-6.6_p1-x509-glue.patch,
+  -files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch:
+  Removed old (and vulnerable) versions.
+
Comment 21 Yury German Gentoo Infrastructure gentoo-dev 2015-02-01 01:55:57 UTC 
Maintainer(s), Thank you for cleanup!

Closing noglsa.