Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.1814 Multiple vulnerabilities has been fixed in OpenSSH 6.6. 9 July 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenSSH Publisher: OpenSSH Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-5352 Original Bulletin: http://www.openssh.com/txt/release-6.9 - --------------------------BEGIN INCLUDED TEXT-------------------- OpenSSH 6.9 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html Future Deprecation Notice ========================= The 7.0 release of OpenSSH, due for release in late July, will deprecate several features, some of which may affect compatibility or existing configurations. The intended changes are as follows: * The default for the sshd_config(5) PermitRootLogin option will change from "yes" to "no". * Support for the legacy version 1.x of the SSH protocol will be disabled at compile time by default. * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange will be run-time disabled by default. * Support for ssh-dss, ssh-dss-cert-* host and user keys will be run-time disabled by default. * Support for the legacy v00 cert format will be removed * Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc, all arcfour variants and the rijndael-cbc aliases for AES * Refusing all RSA keys smaller than 1024 bits (the current minimum is 768 bits) This list reflects our current intentions, but please check the final release notes for OpenSSH 7.0 when it is released. Changes since OpenSSH 6.8 ========================= This is primarily a bugfix release. Security - -------- * ssh(1): when forwarding X11 connections with ForwardX11Trusted=no, connections made after ForwardX11Timeout expired could be permitted and no longer subject to XSECURITY restrictions because of an ineffective timeout check in ssh(1) coupled with "fail open" behaviour in the X11 server when clients attempted connections with expired credentials. This problem was reported by Jann Horn. * ssh-agent(1): fix weakness of agent locking (ssh-add -x) to password guessing by implementing an increasing failure delay, storing a salted hash of the password rather than the password itself and using a timing-safe comparison function for verifying unlock attempts. This problem was reported by Ryan Castellucci. New Features - ------------ * ssh(1), sshd(8): promote chacha20-poly1305@openssh.com to be the default cipher * sshd(8): support admin-specified arguments to AuthorizedKeysCommand; bz#2081 * sshd(8): add AuthorizedPrincipalsCommand that allows retrieving authorized principals information from a subprocess rather than a file. * ssh(1), ssh-add(1): support PKCS#11 devices with external PIN entry devices bz#2240 * sshd(8): allow GSSAPI host credential check to be relaxed for multihomed hosts via GSSAPIStrictAcceptorCheck option; bz#928 * ssh-keygen(1): support "ssh-keygen -lF hostname" to search known_hosts and print key hashes rather than full keys. * ssh-agent(1): add -D flag to leave ssh-agent in foreground without enabling debug mode; bz#2381 Bugfixes - -------- * ssh(1), sshd(8): deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD message and do not try to use it against some 3rd-party SSH implementations that use it (older PuTTY, WinSCP). * Many fixes for problems caused by compile-time deactivation of SSH1 support (including bz#2369) * ssh(1), sshd(8): cap DH-GEX group size at 4Kbits for Cisco implementations as some would fail when attempting to use group sizes >4K; bz#2209 * ssh(1): fix out-of-bound read in EscapeChar configuration option parsing; bz#2396 * sshd(8): fix application of PermitTunnel, LoginGraceTime, AuthenticationMethods and StreamLocalBindMask options in Match blocks * ssh(1), sshd(8): improve disconnection message on TCP reset; bz#2257 * ssh(1): remove failed remote forwards established by muliplexing from the list of active forwards; bz#2363 * sshd(8): make parsing of authorized_keys "environment=" options independent of PermitUserEnv being enabled; bz#2329 * sshd(8): fix post-auth crash with permitopen=none; bz#2355 * ssh(1), ssh-add(1), ssh-keygen(1): allow new-format private keys to be encrypted with AEAD ciphers; bz#2366 * ssh(1): allow ListenAddress, Port and AddressFamily configuration options to appear in any order; bz#86 * sshd(8): check for and reject missing arguments for VersionAddendum and ForceCommand; bz#2281 * ssh(1), sshd(8): don't treat unknown certificate extensions as fatal; bz#2387 * ssh-keygen(1): make stdout and stderr output consistent; bz#2325 * ssh(1): mention missing DISPLAY environment in debug log when X11 forwarding requested; bz#1682 * sshd(8): correctly record login when UseLogin is set; bz#378 * sshd(8): Add some missing options to sshd -T output and fix output of VersionAddendum and HostCertificate. bz#2346 * Document and improve consistency of options that accept a "none" argument" TrustedUserCAKeys, RevokedKeys (bz#2382), AuthorizedPrincipalsFile (bz#2288) * ssh(1): include remote username in debug output; bz#2368 * sshd(8): avoid compatibility problem with some versions of Tera Term, which would crash when they received the hostkeys notification message (hostkeys-00@openssh.com) * sshd(8): mention ssh-keygen -E as useful when comparing legacy MD5 host key fingerprints; bz#2332 * ssh(1): clarify pseudo-terminal request behaviour and use make manual language consistent; bz#1716 * ssh(1): document that the TERM environment variable is not subject to SendEnv and AcceptEnv; bz#2386 Portable OpenSSH - ---------------- * sshd(8): Format UsePAM setting when using sshd -T, part of bz#2346 * Look for '${host}-ar' before 'ar', making cross-compilation easier; bz#2352. * Several portable compilation fixes: bz#2402, bz#2337, bz#2370 * moduli(5): update DH-GEX moduli Checksums: ========== - SHA1 (openssh-6.9.tar.gz) = cd5fcb93411025bbc4b4b57753b622769dfb1e0d - SHA256 (openssh-6.9.tar.gz) = itCMw0aE/xvrGKWhzRD2UM/9kzIOyFaH2dIWMfX8agQ= - SHA1 (openssh-6.9p1.tar.gz) = 86ab57f00d0fd9bf302760f2f6deac1b6e9df265 - SHA256 (openssh-6.9p1.tar.gz) = bgdN9TjzV9RAvmz5PcWBoh8i054jbyF/zY6su2yJbP4= Please note that the PGP key used to sign releases was recently rotated. The new key has been signed by the old key to provide continuity. It is available from the mirror sites as RELEASE_KEY.asc. Reporting Bugs: =============== - - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVZ4EJ36ZAP0PgtI9AQK7jRAAjoH/j/iWRzQjXO7PbLalXGMeVuHyinVH DuhZAcbZ8OSPJCGKt+mQWsGPH2hikttq2D+0SNj83IvIbU3TKnGiwBn1NoJDZojY ewjMD0Rjx2rXzfGAAyFw78MaHDYmcBlDaxeywmRPh7PhHlWblurC+VDL6aKmbaRj YWo4f9QFNqVRil3G970VHrDzDDI1JOzODl/ox2mk4Z3PSzjkBqnli6kzeRPJKmoi LB4sPjjlRTD2RDHDYr/JmabIHirxGv5n4rb2yH4HHv+rqzWsm4yIDdVUmm9gq/2k N7rrnEgS1JjZQs2S3LPqfB3+W69ia7/sqZOunOn9Prjr+vmr9Dunlw2cvyvefcDw VoBzubZGN/878oACGo+dzC0Wh8bkGIjaIPWo5zeiTsFR8hizHpUZd1hqK8U4kSoN 0T90uR0HAM+vOIFUKwogXraj7v2eRUQd2xWXMKA7jR7nYD9lK137fiXyliYjlZGr l+todypuvuc5sVLUzJF57lEiDOAG+Nn+FT8vxdQDnrgIdyWvydSI20skhxgvHpp5 5mFxiipGE68Z9smtank7QjuwbcF7D0x5lHn5him/UQ4Tx6lwbwMsMkyPHE57BLVG v36TpwCa4fnwQz2b6645MGmtOlW/7U7wTQVpBEhlw3by13FKATst+fR25EXJAUWf XZGhwT9TfD0= =exIW -----END PGP SIGNATURE-----