Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 557340 - <net-misc/openssh-7.0_p1: Multiple Vulnerabilities
Summary: <net-misc/openssh-7.0_p1: Multiple Vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A1 [glsa]
Keywords:
Depends on: CVE-2016-0777
Blocks:
  Show dependency tree
 
Reported: 2015-08-12 03:23 UTC by Hanno Böck
Modified: 2016-04-04 20:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2015-08-12 03:23:13 UTC
See below found security fixes mentioned in the changelog of openssh 7.0.0 For the fourth one it can be argued that it is only security hardening, not a real vuln. The other ones sound serious enough to deserve a fast security bump.

 * sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-
   writable. Local attackers may be able to write arbitrary messages
   to logged-in users, including terminal escape sequences.
   Reported by Nikolay Edigaryev.

 * sshd(8): Portable OpenSSH only: Fixed a privilege separation
   weakness related to PAM support. Attackers who could successfully
   compromise the pre-authentication process for remote code
   execution and who had valid credentials on the host could
   impersonate other users.  Reported by Moritz Jodeit.

 * sshd(8): Portable OpenSSH only: Fixed a use-after-free bug
   related to PAM support that was reachable by attackers who could
   compromise the pre-authentication process for remote code
   execution. Also reported by Moritz Jodeit.

 * sshd(8): fix circumvention of MaxAuthTries using keyboard-
   interactive authentication. By specifying a long, repeating
   keyboard-interactive "devices" string, an attacker could request
   the same authentication method be tried thousands of times in
   a single pass. The LoginGraceTime timeout in sshd(8) and any
   authentication failure delays implemented by the authentication
   mechanism itself were still applied. Found by Kingcope.
Comment 1 SpanKY gentoo-dev 2015-08-12 06:11:31 UTC
the 4th one is already tracked in bug 555518
Comment 2 SpanKY gentoo-dev 2015-08-12 08:09:57 UTC
it's in the tree now, but lacks USE=X509 support.  upstream is usually pretty fast there so we can wait a little bit (should anyways to let it bake a bit).

http://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b94b01110ca2fb427c039751c0b43cdc8dfd7bb6
Comment 3 Patrick McLean gentoo-dev 2015-08-13 00:08:26 UTC
I have added USE=X509 support to the ebuild in the tree (didn't bother with a revbump since it's hard masked at the moment).

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=019ed27f297c44d1a851545975353fc99fe6ab05
Comment 4 Agostino Sarubbo gentoo-dev 2015-08-13 10:00:12 UTC
FTR,

The commit which fixes the issue n°2 is:
https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab7255c60433e4dd23cf7fce8a8b


The commit which fixes the issue n°3 is:
https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2015-08-15 15:44:23 UTC
Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2015-11-03 14:25:07 UTC
Ping on call for stabilization.
Comment 7 SpanKY gentoo-dev 2015-11-03 16:02:10 UTC
we already have bug 555518 to track newer stable
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2015-12-21 14:23:48 UTC
This issue was resolved and addressed in
 GLSA 201512-04 at https://security.gentoo.org/glsa/201512-04
by GLSA coordinator Yury German (BlueKnight).
Comment 9 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-21 14:25:36 UTC
Re-Opening for Cleanup
Maintainer(s), please drop the vulnerable version(s).
Comment 10 Yury German Gentoo Infrastructure gentoo-dev Security 2016-01-26 02:25:39 UTC
Cleanup as part of Bug #571892, setting dependency.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev Security 2016-04-04 20:34:03 UTC
Maintainer(s), Thank you for your work.