[gentoo-announce] [ GLSA 201405-06 ] OpenSSH: Multiple vulnerabilities - gentoo-announce

From:	Mikle Kolyada <zlogene@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201405-06 ] OpenSSH: Multiple vulnerabilities
Date:	Sun, 11 May 2014 13:53:47
Message-Id:	`536F819A.3010504@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201405-06

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: High

8

    Title: OpenSSH: Multiple vulnerabilities

9

     Date: May 11, 2014

10

     Bugs: #231292, #247466, #386307, #410869, #419357, #456006, #505066

11

       ID: 201405-06

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in OpenSSH, the worst of which

19

may allow remote attackers to execute arbitrary code.

20

21

Background

22

==========

23

24

OpenSSH is a complete SSH protocol implementation that includes an SFTP

25

client and server support.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package              /     Vulnerable     /            Unaffected

32

    -------------------------------------------------------------------

33

  1  net-misc/openssh           < 6.6_p1-r1              >= 6.6_p1-r1 

34

35

Description

36

===========

37

38

Multiple vulnerabilities have been discovered in OpenSSH. Please review

39

the CVE identifiers referenced below for details.

40

41

Impact

42

======

43

44

A remote attacker could execute arbitrary code, cause a Denial of

45

Service condition, obtain sensitive information, or bypass environment

46

restrictions.

47

48

Workaround

49

==========

50

51

There is no known workaround at this time.

52

53

Resolution

54

==========

55

56

All OpenSSH users should upgrade to the latest version:

57

58

  # emerge --sync

59

  # emerge --ask --oneshot --verbose ">=net-misc/openssh-6.6_p1-r1"

60

61

NOTE: One or more of the issues described in this advisory have been

62

fixed in previous updates. They are included in this advisory for the

63

sake of completeness. It is likely that your system is already no

64

longer affected by them.

65

66

References

67

==========

68

69

[ 1 ] CVE-2008-5161

70

      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5161

71

[ 2 ] CVE-2010-4478

72

      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4478

73

[ 3 ] CVE-2010-4755

74

      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4755

75

[ 4 ] CVE-2010-5107

76

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-5107

77

[ 5 ] CVE-2011-5000

78

      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5000

79

[ 6 ] CVE-2012-0814

80

      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0814

81

[ 7 ] CVE-2014-2532

82

      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2532

83

84

Availability

85

============

86

87

This GLSA and any updates to it are available for viewing at

88

the Gentoo Security Website:

89

90

 http://security.gentoo.org/glsa/glsa-201405-06.xml

91

92

Concerns?

93

=========

94

95

Security is a primary focus of Gentoo Linux and ensuring the

96

confidentiality and security of our users' machines is of utmost

97

importance to us. Any security concerns should be addressed to

98

security@g.o or alternatively, you may file a bug at

99

https://bugs.gentoo.org.

100

101

License

102

=======

103

104

Copyright 2014 Gentoo Foundation, Inc; referenced text

105

belongs to its owner(s).

106

107

The contents of this document are licensed under the

108

Creative Commons - Attribution / Share Alike license.

109

110

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201405-06
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: OpenSSH: Multiple vulnerabilities
9	Date: May 11, 2014
10	Bugs: #231292, #247466, #386307, #410869, #419357, #456006, #505066
11	ID: 201405-06
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in OpenSSH, the worst of which
19	may allow remote attackers to execute arbitrary code.
20
21	Background
22	==========
23
24	OpenSSH is a complete SSH protocol implementation that includes an SFTP
25	client and server support.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 net-misc/openssh < 6.6_p1-r1 >= 6.6_p1-r1
34
35	Description
36	===========
37
38	Multiple vulnerabilities have been discovered in OpenSSH. Please review
39	the CVE identifiers referenced below for details.
40
41	Impact
42	======
43
44	A remote attacker could execute arbitrary code, cause a Denial of
45	Service condition, obtain sensitive information, or bypass environment
46	restrictions.
47
48	Workaround
49	==========
50
51	There is no known workaround at this time.
52
53	Resolution
54	==========
55
56	All OpenSSH users should upgrade to the latest version:
57
58	# emerge --sync
59	# emerge --ask --oneshot --verbose ">=net-misc/openssh-6.6_p1-r1"
60
61	NOTE: One or more of the issues described in this advisory have been
62	fixed in previous updates. They are included in this advisory for the
63	sake of completeness. It is likely that your system is already no
64	longer affected by them.
65
66	References
67	==========
68
69	[ 1 ] CVE-2008-5161
70	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5161
71	[ 2 ] CVE-2010-4478
72	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4478
73	[ 3 ] CVE-2010-4755
74	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4755
75	[ 4 ] CVE-2010-5107
76	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-5107
77	[ 5 ] CVE-2011-5000
78	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5000
79	[ 6 ] CVE-2012-0814
80	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0814
81	[ 7 ] CVE-2014-2532
82	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2532
83
84	Availability
85	============
86
87	This GLSA and any updates to it are available for viewing at
88	the Gentoo Security Website:
89
90	http://security.gentoo.org/glsa/glsa-201405-06.xml
91
92	Concerns?
93	=========
94
95	Security is a primary focus of Gentoo Linux and ensuring the
96	confidentiality and security of our users' machines is of utmost
97	importance to us. Any security concerns should be addressed to
98	security@g.o or alternatively, you may file a bug at
99	https://bugs.gentoo.org.
100
101	License
102	=======
103
104	Copyright 2014 Gentoo Foundation, Inc; referenced text
105	belongs to its owner(s).
106
107	The contents of this document are licensed under the
108	Creative Commons - Attribution / Share Alike license.
109
110	http://creativecommons.org/licenses/by-sa/2.5