Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0363
A vulnerability has been fixed in OpenSSH 6.6.
19 March 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenSSH
Publisher: OpenSSH
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-2532
Original Bulletin:
http://www.openssh.com/txt/release-6.6
- --------------------------BEGIN INCLUDED TEXT--------------------
OpenSSH 6.6 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html
Changes since OpenSSH 6.6
=========================
This is primarily a bugfix release.
Security:
* sshd(8): when using environment passing with a sshd_config(5)
AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be
tricked into accepting any enviornment variable that contains the
characters before the wildcard character.
New / changed features:
* ssh(1), sshd(8): this release removes the J-PAKE authentication code.
This code was experimental, never enabled and had been unmaintained
for some time.
* ssh(1): when processing Match blocks, skip 'exec' clauses other clauses
predicates failed to match.
* ssh(1): if hostname canonicalisation is enabled and results in the
destination hostname being changed, then re-parse ssh_config(5) files
using the new destination hostname. This gives 'Host' and 'Match'
directives that use the expanded hostname a chance to be applied.
Bugfixes:
* ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in
ssh -W. bz#2200, debian#738692
* sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace
sandbox modes, as it is reachable if the connection is terminated
during the pre-auth phase.
* ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum
parsing. Minimum key length checks render this bug unexploitable to
compromise SSH 1 sessions.
* sshd_config(5): clarify behaviour of a keyword that appears in
multiple matching Match blocks. bz#2184
* ssh(1): avoid unnecessary hostname lookups when canonicalisation is
disabled. bz#2205
* sshd(8): avoid sandbox violation crashes in GSSAPI code by caching
the supported list of GSSAPI mechanism OIDs before entering the
sandbox. bz#2107
* ssh(1): fix possible crashes in SOCKS4 parsing caused by assumption
that the SOCKS username is nul-terminated.
* ssh(1): fix regression for UsePrivilegedPort=yes when BindAddress is
not specified.
* ssh(1), sshd(8): fix memory leak in ECDSA signature verification.
* ssh(1): fix matching of 'Host' directives in ssh_config(5) files
to be case-insensitive again (regression in 6.5).
Portable OpenSSH:
* sshd(8): don't fatal if the FreeBSD Capsicum is offered by the
system headers and libc but is not supported by the kernel.
* Fix build using the HP-UX compiler.
Checksums:
==========
- SHA1 (openssh-6.6.tar.gz) = bf932d798324ff2502409d3714d0ad8d65c7e1e7
- SHA256 (openssh-6.6.tar.gz) = jaSJE5aiQRm+91dV6EvVGr/ozo33tbxyjjFSiu+Cy80=
- SHA1 (openssh-6.6p1.tar.gz) = b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e
- SHA256 (openssh-6.6p1.tar.gz) = SMHwZktFNIdQOABMxPNVW4MpwqgcHfSNtcUXgA3iA7s=
Please note that the PGP key used to sign releases was recently rotated.
The new key has been signed by the old key to provide continuity. It is
available from the mirror sites as RELEASE_KEY.asc.
Reporting Bugs:
===============
- - Please read http://www.openssh.com/report.html
Security bugs should be reported directly to openssh@openssh.com
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUyk+MBLndAQH1ShLAQLjLg//WcEL9AiEbOTiSMQuZlhLJv1aEXYVhLua
1ioZSxhtJ3Zaq3EWErC52CVXDE+SaNWOQ8KM921KVCobW6aik/qFzgtQ+IGsIMHj
C82fCeTzuoWWXdy25pd+1SI7L0qA+LY2QoltZH8IwSyCGquivMLzMm1rxGk4iVmB
TzXgqud762RCw+bBEbybrARwC5xnSluthuCPgLYb1ZW3wE1gCbjv4m/3QULhOayC
AWCb2AfR3RkmUt8SS43Pj4MJ3QyftrGXEGT0TZLabwhpVe9QZ0MPHAzpwHEGI4CQ
g+8kJsb5P60Z/Xcj69vmF4HRrtBLp/hEa6NyF0xMOzCAtG4FtE+idanXHE4Do0OI
1dr8uoEYz0NePdj1d0oCTO/G2/ldDfOgebqwFabtMWr993eq/uE30d5ShSOFWQX1
U5OOZL5eU/OEPYEDynse7w/MCsLw3ZZxcL2B4Shw5JNwyKWHxQ3sMT9E43oDhBm/
5BKbYSZjGactfGFu5iylwX/v6x8M6gerebuI9wrRiPMaN5nJIn1DvfxnRcxnqCIV
wSa/6kW/s2AfL8VemXmQKgbvEGUfFzAbM3N6m+s8jNE+wzMCXUCTGzX6gwzg/seD
IPl2dqrzXcjBp7kt4BTLA2THJq2mfyiH5P7QF5WgpmgVQsD4vUPh9Utba7lqHLl6
kzxPt74pai4=
=KE4k
-----END PGP SIGNATURE-----