Bug 47778 - openssh: Multiple issues (4.2)
openssh: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
All Linux
: P3 normal (vote)
: UCS 4.2-4-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-09-11 09:16 CEST by Quality Assurance
Modified: 2018-09-12 13:19 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 6.6 (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-09-11 09:16:06 CEST
New Debian openssh 1:6.7p1-5+deb8u6A~4.2.4.201809110916 fixes:
This update addresses the following issues:
* XSECURITY restrictions bypass under certain conditions in ssh(1)  (CVE-2015-5352)
* MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices  (CVE-2015-5600)
* Privilege separation weakness related to PAM support (CVE-2015-6563)
* Use-after-free bug related to PAM support (CVE-2015-6564)
* possible fallback from untrusted to trusted X11 forwarding (CVE-2016-1908)
* missing sanitisation of input for X11 forwarding (CVE-2016-3115)
* Denial of service via very long passwords (CVE-2016-6515)
* loading of untrusted PKCS#11 modules in ssh-agent (CVE-2016-10009)
* Leak of host private key material to privilege-separated child process via  realloc() (CVE-2016-10011)
* Bounds check can be evaded in the shared memory manager used by  pre-authentication compression support (CVE-2016-10012)
* Out of sequence NEWKEYS message can allow remote attacker to cause denial  of service (CVE-2016-10708)
* Improper write operations in readonly mode allow for zero-length file  creation (CVE-2017-15906)
* XSECURITY restrictions bypass under certain conditions in ssh(1) (CVE-2015-5352)
* MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices (CVE-2015-5600)
* Leak of host private key material to privilege-separated child process via realloc() (CVE-2016-10011)
* Bounds check can be evaded in the shared memory manager used by pre-authentication compression support (CVE-2016-10012)
* Out of sequence NEWKEYS message can allow remote attacker to cause denial of service (CVE-2016-10708)
* Improper write operations in readonly mode allow for zero-length file creation (CVE-2017-15906)
Comment 1 Quality Assurance univentionstaff 2018-09-11 11:01:49 CEST
--- mirror/ftp/4.2/unmaintained/component/4.2-4-errata/source/openssh_6.7p1-5+deb8u5A~4.2.4.201808221019.dsc
+++ apt/ucs_4.2-0-errata4.2-4/source/openssh_6.7p1-5+deb8u6.dsc
@@ -1,9 +1,35 @@
-1:6.7p1-5+deb8u5A~4.2.4.201808221019 [Wed, 22 Aug 2018 10:19:17 +0200] Univention builddaemon <buildd@univention.de>:
+1:6.7p1-5+deb8u6 [Wed, 29 Aug 2018 12:01:36 +0200] Santiago Ruano Rincón <santiagorr@riseup.net>:
 
-  * UCS auto build. The following patches have been applied to the original source package
-    CVE-2015-5352
-    CVE-2015-5600-1
-    CVE-2015-5600-2
+  * Fix CVE-2015-5352: Reject X11 connections after hard-coded Xauth cookie
+    expiration time of 1200 seconds.
+    (Closes: #790798)
+  * CVE-2015-5600: MaxAuthTries limit bypass via duplicates in
+    KbdInteractiveDevices
+    - Add debian/patches/CVE-2015-5600-2.patch: initialize struct field
+    (Closes: #793616)
+  * CVE-2015-6563: Privilege separation weakness in PAM support
+    (Closes: #795711)
+  * CVE-2015-6564: use-after-free in PAM support
+  * CVE-2016-10009: Untrusted search path vulnerability in ssh-agent.c in
+    ssh-agent allows remote attackers to execute arbitrary local PKCS#11
+    modules by leveraging control over a forwarded agent-socket.
+  * CVE-2016-10011: Possible local information disclosure by the effects of
+    realloc on buffer contents
+    (Closes: #848716)
+    - add split-allocation-out-of-sshbuf_reserve.patch, required to address
+      the issue.
+  * CVE-2016-10012: Lack of bounds check in the shared memory manager that
+    could lead to local privilege escalation
+    (Closes: #848717)
+  * CVE-2016-10708: privsep process chrashing via an out-of-sequence
+    NEWKEYS message
+  * CVE-2016-1908: mishandling failed cookie generation for untrusted X11
+    forwarding
+  * CVE-2016-3115: shell-command restrictions bypass via crafted X11
+    forwarding data
+  * CVE-2016-6515: not limit password lengths for password authentication
+    that may be used to DoS via crypt CPU consumption
+  * CVE-2017-15906: sftp-server.c flaw at handling zero-length files.
 
 1:6.7p1-5+deb8u5 [Tue, 21 Aug 2018 18:04:27 +0100] Chris Lamb <lamby@debian.org>:
 

<http://10.200.17.11/4.2-4/#2247060911678882918>
Comment 2 Philipp Hahn univentionstaff 2018-09-11 11:11:17 CEST
r18276 | Bug #47778: Drop UCS specific patches merged by Debian
  - CVE-2015-5352.quilt
  - CVE-2015-5600-1.quilt
  - CVE-2015-5600-2.quilt

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.2-4] 4d3635e8a3 Bug #47778: openssh 1:6.7p1-5+deb8u6
 doc/errata/staging/openssh.yaml | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
Comment 3 Philipp Hahn univentionstaff 2018-09-12 13:19:59 CEST
<http://errata.software-univention.de/ucs/4.2/510.html>