Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 590202 - <net-misc/openssh-7.3_p1: multiple vulnerabilities
Summary: <net-misc/openssh-7.3_p1: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A3 [glsa]
Keywords:
: 590210 (view as bug list)
Depends on: 590382
Blocks: CVE-2015-8325 CVE-2016-6210
  Show dependency tree
 
Reported: 2016-08-01 12:24 UTC by Agostino Sarubbo
Modified: 2016-12-07 10:33 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-08-01 12:24:21 UTC
From ${URL} :

Changes since OpenSSH 7.2
=========================

This is primarily a bugfix release.

Security
--------

 * sshd(8): Mitigate a potential denial-of-service attack against
   the system's crypt(3) function via sshd(8). An attacker could
   send very long passwords that would cause excessive CPU use in
   crypt(3). sshd(8) now refuses to accept password authentication
   requests of length greater than 1024 characters. Independently
   reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto.

 * sshd(8): Mitigate timing differences in password authentication
   that could be used to discern valid from invalid account names
   when long passwords were sent and particular password hashing
   algorithms are in use on the server. CVE-2016-6210, reported by
   EddieEzra.Harari at verint.com

 * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding
   oracle countermeasures. Reported by Jean Paul Degabriele, Kenny
   Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers
   are disabled by default and only included for legacy compatibility.

 * ssh(1), sshd(8): Improve operation ordering of MAC verification for
   Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the
   MAC before decrypting any ciphertext. This removes the possibility
   of timing differences leaking facts about the plaintext, though no
   such leakage has been observed.  Reported by Jean Paul Degabriele,
   Kenny Paterson, Torben Hansen and Martin Albrecht.
    
 * sshd(8): (portable only) Ignore PAM environment vars when
   UseLogin=yes. If PAM is configured to read user-specified
   environment variables and UseLogin=yes in sshd_config, then a
   hostile local user may attack /bin/login via LD_PRELOAD or
   similar environment variables set via PAM. CVE-2015-8325,
   found by Shayan Sadigh.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2016-08-02 09:12:37 UTC
*** Bug 590210 has been marked as a duplicate of this bug. ***
Comment 2 SpanKY gentoo-dev 2016-08-02 14:57:49 UTC
7.3p1 is in the tree, but w/out X509 support.  we prob want to wait on stabilizing until that's out, but if it doesn't come out soon, we can move forward w/out it.
Comment 3 SpanKY gentoo-dev 2016-08-03 01:48:40 UTC
looks like upstream X509 guy is working on it, so should be fine to wait
Comment 4 Patrick McLean gentoo-dev 2016-08-03 21:07:36 UTC
openssh-7.3_p1-r1 is now in the tree with the updated X509 patch
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2016-09-17 05:46:12 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-12-07 10:33:00 UTC
This issue was resolved and addressed in
 GLSA 201612-18 at https://security.gentoo.org/glsa/201612-18
by GLSA coordinator Aaron Bauman (b-man).