Bug 39436 - openssh: multiple issues (4.0)
openssh: multiple issues (4.0)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-3-errata
Assigned To: Philipp Hahn
Janek Walkenhorst
Depends on:
  Show dependency treegraph
Reported: 2015-09-29 19:10 CEST by Arvid Requate
Modified: 2015-11-04 17:24 CET (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-09-29 19:10:40 CEST
The following vulnerability has been found in openssh:

* The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list. (CVE-2015-5600)

This flaw only affects OpenSSH configurations that have the 'KbdInteractiveAuthentication' configuration option set to 'yes'. By default, this option has the same value as the 'ChallengeResponseAuthentication' option.

By default, UCS has the 'ChallengeResponseAuthentication' option set to 'yes', via UCR sshd/challengeresponse.

Debian itself is not affected due to its default configuration.
Comment 1 Arvid Requate univentionstaff 2015-09-29 19:27:25 CEST
There is a patched package in squeeze-lts (see Bug #39437) and in stretch, so I guess one of those might also apply to wheezy. Those patches also fix

  * CVE-2015-5352: Reject X11 connections after hard-coded Xauth cookie
    expiration time of 1200 seconds.
Comment 2 Philipp Hahn univentionstaff 2015-10-26 13:32:07 CET
 CVE-2015-5352 was deemed minor in Debian: <https://security-tracker.debian.org/tracker/CVE-2015-5352>, backported <https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=1bf477d3cdf1a864646d59820878783d42357a1d>

 CVE-2015-5600 does not apply to Debian <https://security-tracker.debian.org/tracker/CVE-2015-5600>, forwardported from Squeeze-LTS

$ repo_admin.py --cherrypick -r 4.0 --releasedest 4.0 --dest errata4.0-2 -p openssh
$ repo_admin.py --cherrypick -r 4.0 -s errata4.0-2 --releasedest 4.0 --dest errata4.0-3 -p openssh

Package: openssh
Version: 1:6.0p1-4.51.201510261316
Branch: ucs_4.0-0
Scope: errata4.0-3

r64851 | Bug #39436: OpenSSH errata4.0-3 YAML
Comment 3 Janek Walkenhorst univentionstaff 2015-11-04 13:33:30 CET
Advisory: OK
Tests (i386): OK
Comment 4 Janek Walkenhorst univentionstaff 2015-11-04 17:24:49 CET