Advisories ยป MGASA-2016-0280

Updated openssh packages fix security vulnerability

Publication date: 31 Aug 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-8325 , CVE-2016-6210 , CVE-2016-6515


The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2,
when the UseLogin feature is enabled and PAM is configured to read
.pam_environment files in user home directories, allows local users to
gain privileges by triggering a crafted environment for the /bin/login
program, as demonstrated by an LD_PRELOAD environment variable

When SSHD tries to authenticate a non-existing user, it will pick up a
fake password structure hard-coded in the SSHD source code. An attacker
can measure timing information to determine if a user exists when
verifying a password (CVE-2016-6210).

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3
does not limit password lengths for password authentication, which allows
remote attackers to cause a denial of service (crypt CPU consumption) via
a long string (CVE-2016-6515).

Note that CVE-2015-8325 and CVE-2016-6210 wouldn't affect most Mageia
systems, as UseLogin is not enabled by default and Mageia uses Blowfish
password hashes by default.