From ${URL} : The openSSH 6.9 release contains the following changes declared as security issues: http://www.openssh.com/txt/release-6.9 > Security > -------- > > * ssh(1): when forwarding X11 connections with ForwardX11Trusted=no, > connections made after ForwardX11Timeout expired could be permitted > and no longer subject to XSECURITY restrictions because of an > ineffective timeout check in ssh(1) coupled with "fail open" > behaviour in the X11 server when clients attempted connections with > expired credentials. This problem was reported by Jann Horn. In the portable releases, this is https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=1bf477d3cdf1a864646d59820878783d42357a1d > * ssh-agent(1): fix weakness of agent locking (ssh-add -x) to > password guessing by implementing an increasing failure delay, > storing a salted hash of the password rather than the password > itself and using a timing-safe comparison function for verifying > unlock attempts. This problem was reported by Ryan Castellucci. In the portable releases, this is https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=9173d0fbe44de7ebcad8a15618e13a8b8d78902e @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
+*openssh-6.9_p1 (01 Jul 2015) + + 01 Jul 2015; Lars Wendler <polynomial-c@gentoo.org> + -openssh-6.7_p1-r3.ebuild, -openssh-6.8_p1.ebuild, -openssh-6.8_p1-r1.ebuild, + -openssh-6.8_p1-r2.ebuild, -openssh-6.8_p1-r3.ebuild, + -openssh-6.8_p1-r4.ebuild, +openssh-6.9_p1.ebuild: + Security bump (bug #553724). Removed old. + There's yet no x509 patch available for openssh-6.9_p1 so -r0 should not go stable.
openssh-6.9_p1-r1 added to the tree with the X509 patch
is it ok to go stable?
(In reply to Mikle Kolyada from comment #3) i'm going to add a -r2 with an update hpn patchset. there's some things in there i want to remove (like the server logging).
i've added 6.9p1-r2 to the tree now. give it a few days to bake and then move forward w/stabilizing.
Ping for stabilization, works fine on my boxes.
amd64 stable
Stable for PPC64.
Stable for HPPA.
arm stable
Stable on alpha.
x86 stable
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
Maintainer(s), please drop the vulnerable version(s).
This issue was resolved and addressed in GLSA 201512-04 at https://security.gentoo.org/glsa/201512-04 by GLSA coordinator Yury German (BlueKnight).
Re-opening for cleanup. Maintainer(s), please drop the vulnerable version(s).
Arches and Maintainer(s), Thank you for your work.