SciLinux: CVE-2014-2653 Moderate: openssh SL7.x x86_64
Summary
Moderate: openssh security, bug fix and enhancement update
Date: Wed, 25 Mar 2015 15:19:49 +0000 Reply-To: scientific-linux-users@listserv.fnal.gov Sender: Security Errata for Scientific LinuxFrom: Pat Riehecky Subject: Security ERRATA Moderate: openssh on SL7.x x86_64 MIME-Version: 1.0 Synopsis: Moderate: openssh security, bug fix and enhancement update Advisory ID: SLSA-2015:0425-2 Issue Date: 2015-03-05 CVE Numbers: CVE-2014-2653 CVE-2014-9278 -- It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278) The openssh packages have been upgraded to upstream version 6.6.1, which provides a number of bug fixes and enhancements over the previous version. Bug fixes: * An existing /dev/log socket is needed when logging using the syslog utility, which is not possible for all chroot environments based on the user's home directories. As a consequence, the sftp commands were not logged in the chroot setup without /dev/log in the internal sftp subsystem. With this update, openssh has been enhanced to detect whether /dev/log exists. If /dev/log does not exist, processes in the chroot environment use their master processes for logging. * The buffer size for a host name was limited to 64 bytes. As a consequence, when a host name was 64 bytes long or longer, the ssh-keygen utility failed. The buffer size has been increased to fix this bug, and ssh-keygen no longer fails in the described situation. * Non-ASCII characters have been replaced by their octal representations in banner messages in order to prevent terminal re-programming attacks. Consequently, banners containing UTF-8 strings were not correctly displayed in a client. With this update, banner messages are processed according to RFC 3454, control characters have been removed, and bannerscontaining UTF-8 strings are now displayed correctly. * Scientific Linux uses persistent Kerberos credential caches, which are shared between sessions. Previously, the GSSAPICleanupCredentials option was set to "yes" by default. Consequently, removing a Kerberos cache on logout could remove unrelated credentials of other sessions, which could make the system unusable. To fix this bug, GSSAPICleanupCredentials is set by default to "no". * Access permissions for the /etc/ssh/moduli file were set to 0600, which was unnecessarily strict. With this update, the permissions for /etc/ssh/moduli have been changed to 0644 to make the access to the file easier. * Due to the KRB5CCNAME variable being truncated, the Kerberos ticket cache was not found after login using a Kerberos-enabled SSH connection. The underlying source code has been modified to fix this bug, and Kerberos authentication works as expected in the described situation. Enhancements: * When the sshd daemon is configured to force the internal SFTP session, a connection other then SFTP is used, the appropriate message is logged to the /var/log/secure file. * The sshd-keygen service was run using the "ExecStartPre=-/usr/sbin/sshd- keygen" option in the sshd.service unit file. With this update, the separate sshd-keygen.service unit file has been added, and sshd.service has been adjusted to require sshd-keygen.service. -- SL7 x86_64 openssh-6.6.1p1-11.el7.x86_64.rpm openssh-askpass-6.6.1p1-11.el7.x86_64.rpm openssh-clients-6.6.1p1-11.el7.x86_64.rpm openssh-debuginfo-6.6.1p1-11.el7.x86_64.rpm openssh-keycat-6.6.1p1-11.el7.x86_64.rpm openssh-server-6.6.1p1-11.el7.x86_64.rpm openssh-debuginfo-6.6.1p1-11.el7.i686.rpm openssh-ldap-6.6.1p1-11.el7.x86_64.rpm openssh-server-sysvinit-6.6.1p1-11.el7.x86_64.rpm pam_ssh_agent_auth-0.9.3-9.11.el7.i686.rpm pam_ssh_agent_auth-0.9.3-9.11.el7.x86_64.rpm - Scientific Linux Development Team
Moderate: openssh security, bug fix and enhancement update