Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 675522 (CVE-2019-6111) - <net-misc/openssh-7.9_p1-r4: multiple vulnerabilities (CVE-2019-{6109,6110,6111})
Summary: <net-misc/openssh-7.9_p1-r4: multiple vulnerabilities (CVE-2019-{6109,6110,61...
Status: IN_PROGRESS
Alias: CVE-2019-6111
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve cleanup]
Keywords:
Depends on: 661258
Blocks: CVE-2019-6109, CVE-2019-6110 CVE-2018-20685
  Show dependency tree
 
Reported: 2019-01-15 17:50 UTC by GLSAMaker/CVETool Bot
Modified: 2019-08-09 21:18 UTC (History)
5 users (show)

See Also:
Package list:
net-misc/openssh-7.9_p1-r4
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-01-15 17:50:31 UTC
CVE-2019-6111 (https://nvd.nist.gov/vuln/detail/CVE-2019-6111):
  scp client missing received object name validation

CVE-2019-6110 (https://nvd.nist.gov/vuln/detail/CVE-2019-6110):
  scp client spoofing via stderr

CVE-2019-6109 (https://nvd.nist.gov/vuln/detail/CVE-2019-6109):
  scp client spoofing via object name
Comment 1 Teika kazura 2019-02-17 11:48:46 UTC
Upstream doesn't consider (some of?) these scp issues as a bug, according to the debian tracker of CVE-2019-6110:
  https://security-tracker.debian.org/tracker/CVE-2019-6110

However, CVE-2019-6109 and CVE-2019-6111 have been fixed:
  https://www.debian.org/security/2019/dsa-4387

Best regards.
Comment 2 Larry the Git Cow gentoo-dev 2019-03-03 02:46:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40935d5171a88ca21159ee9db7c2d780b4473a22

commit 40935d5171a88ca21159ee9db7c2d780b4473a22
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-03-03 02:46:29 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-03-03 02:46:41 +0000

    net-misc/openssh: add some patches, including CVE-2019-6111
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=675522
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-misc/openssh/Manifest                 |   2 +
 net-misc/openssh/openssh-7.9_p1-r3.ebuild | 468 ++++++++++++++++++++++++++++++
 2 files changed, 470 insertions(+)
Comment 3 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-03-06 14:47:19 UTC
amd64 stable
Comment 4 Mart Raudsepp gentoo-dev 2019-03-06 19:45:44 UTC
arm64 stable
Comment 5 Thomas Deutschmann gentoo-dev Security 2019-03-07 15:05:19 UTC
Please proceed with =net-misc/openssh-7.9_p1-r4
Comment 6 Thomas Deutschmann gentoo-dev Security 2019-03-07 21:51:14 UTC
x86 stable
Comment 7 Rolf Eike Beer 2019-03-08 20:39:19 UTC
hppa and sparc done
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-03-10 14:34:48 UTC
arm stable
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-03-10 15:36:34 UTC
alpha stable
Comment 10 Matt Turner gentoo-dev 2019-03-10 21:24:26 UTC
ppc/ppc64 stable
Comment 11 Yury German Gentoo Infrastructure gentoo-dev Security 2019-03-10 21:53:41 UTC
With all the supported arches done, we are going to issue the GLSA. Remaining arches please complete stabilization, and clean-up
Comment 12 Sergei Trofimovich gentoo-dev 2019-03-14 19:38:20 UTC
ia64 stable
Comment 13 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-03-15 23:20:11 UTC
s390 stable
Comment 14 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-03-15 23:20:30 UTC
sh stable
Comment 15 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-03-15 23:20:54 UTC
m68k stable
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2019-03-20 13:37:11 UTC
This issue was resolved and addressed in
 GLSA 201903-16 at https://security.gentoo.org/glsa/201903-16
by GLSA coordinator Aaron Bauman (b-man).
Comment 17 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-20 13:39:03 UTC
re-opened to track cleanup and fixing of twist
Comment 18 Jeroen Roovers gentoo-dev 2019-04-18 09:26:54 UTC
Version 8.0 was released today.
Comment 19 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-09 21:18:57 UTC
@base-system, can this be cleaned yet?