Bug 39437 - openssh: multiple issues (3.2)
openssh: multiple issues (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-7-errata
Assigned To: Philipp Hahn
Daniel Tröder
http://metadata.ftp-master.debian.org...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-29 19:11 CEST by Arvid Requate
Modified: 2015-11-19 13:30 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-09-29 19:11:24 CEST
+++ This bug was initially created as a clone of Bug #39436 +++

The following vulnerability has been found in openssh:

* The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list. (CVE-2015-5600)

This flaw only affects OpenSSH configurations that have the 'KbdInteractiveAuthentication' configuration option set to 'yes'. By default, this option has the same value as the 'ChallengeResponseAuthentication' option.

By default, UCS has the 'ChallengeResponseAuthentication' option set to 'yes', via UCR sshd/challengeresponse.

Debian itself is not affected due to its default configuration.
Comment 1 Arvid Requate univentionstaff 2015-09-29 19:17:09 CEST
Actually there has been an update for squeeze-lts: 1:5.5p1-6+squeeze6

  * CVE-2015-5352: Reject X11 connections after hard-coded Xauth cookie
    expiration time of 1200 seconds. (Closes: #790798).
  * CVE-2015-5600: Only query each keyboard-interactive device once per
    authentication request regardless of how many times it is listed.
    (Closes: #793616).
Comment 2 Philipp Hahn univentionstaff 2015-10-26 12:02:30 CET
$ repo_admin.py -U -p openssh -d squeeze-lts -r 3.2-0-0 -s errata3.2-7
r15381 + r15382

Package: openssh
Version: 1:5.5p1-6.49.201510261154
Branch: ucs_3.2-0
Scope: errata3.2-7

r64846 | Bug #39437: OpenSSH errata3.2-7 YAML
r64845 | Bug #39437: OpenSSH errata3.2-7 YAML
 2015-10-26-openssh.yaml
Comment 3 Daniel Tröder univentionstaff 2015-11-16 11:35:05 CET
OK: DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-client openssh-server
OK: /usr/share/doc/openssh-server/changelog.Debian.gz
OK: 2015-10-26-openssh.yaml
OK: Test: ssh localhost; ssh to-other-host; ssh from-other-host
Comment 4 Janek Walkenhorst univentionstaff 2015-11-19 13:30:33 CET
<http://errata.software-univention.de/ucs/3.2/379.html>