Updated openssh packages fix security vulnerability
Publication date: 31 Aug 2016Modification date: 31 Aug 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-8325 , CVE-2016-6210 , CVE-2016-6515
Description
The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable (CVE-2015-8325). When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hard-coded in the SSHD source code. An attacker can measure timing information to determine if a user exists when verifying a password (CVE-2016-6210). The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string (CVE-2016-6515). Note that CVE-2015-8325 and CVE-2016-6210 wouldn't affect most Mageia systems, as UseLogin is not enabled by default and Mageia uses Blowfish password hashes by default.
References
- https://bugs.mageia.org/show_bug.cgi?id=18222
- https://www.debian.org/security/2016/dsa-3550
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6210
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/X2L6RW34VFNXYNVVN2CN73YAGJ5VMTFU/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8325
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6515
SRPMS
5/core
- openssh-6.6p1-5.9.mga5