ID

VAR-201601-0029

CVE

CVE-2016-0777

TITLE

OpenSSH Client contains a client information leak vulnerability and buffer overflow

DESCRIPTION

The resend_bytes function in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2 allows remote servers to obtain sensitive information from process memory by requesting transmission of an entire buffer, as demonstrated by reading a private key. OpenSSH client code versions 5.4 through 7.1p1 contains a client information leak vulnerability that could allow an OpenSSH client to leak information not limited to but including private keys, as well as a buffer overflow in certain non-default configurations. OpenSSH is prone to an information-disclosure vulnerability. Successfully exploiting this issue allows attackers to obtain sensitive information that may aid in further attacks. OpenSSH (OpenBSD Secure Shell) is a set of connection tools for securely accessing remote computers maintained by the OpenBSD project team. This tool is an open source implementation of the SSH protocol, supports encryption of all transmissions, and can effectively prevent eavesdropping, connection hijacking, and other network-level attacks. The following versions are affected: OpenSSH 5.x, 6.x, 7.x prior to 7.1p2. Corrected: 2016-01-14 22:42:43 UTC (stable/10, 10.2-STABLE) 2016-01-14 22:45:33 UTC (releng/10.2, 10.2-RELEASE-p10) 2016-01-14 22:47:54 UTC (releng/10.1, 10.1-RELEASE-p27) 2016-01-14 22:50:35 UTC (stable/9, 9.3-STABLE) 2016-01-14 22:53:07 UTC (releng/9.3, 9.3-RELEASE-p34) CVE Name: CVE-2016-0777 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. The ssh(1) is client side utility used to login to remote servers. II. III. IV. Workaround The vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the global ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line. All current remote ssh(1) sessions need to be restared after changing the configuration file. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:07/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-16:07/openssh.patch.asc # gpg --verify openssh.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r294053 releng/9.3/ r294054 stable/10/ r294049 releng/10.1/ r294051 releng/10.2/ r294052 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/openssh-7.1p2-i486-1_slack14.1.txz: Upgraded. This update fixes an information leak and a buffer overflow. Thanks to Qualys for reporting this issue. As of version 7.0, OpenSSH has deprecated some older (and presumably less secure) algorithms, and also (by default) only allows root login by public-key, hostbased and GSSAPI authentication. Make sure that your keys and authentication method will allow you to continue accessing your system after the upgrade. The release notes for OpenSSH 7.0 list the following incompatible changes to be aware of: * Support for the legacy SSH version 1 protocol is disabled by default at compile time. * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is disabled by default at run-time. It may be re-enabled using the instructions at http://www.openssh.com/legacy.html * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time. These may be re-enabled using the instructions at http://www.openssh.com/legacy.html * Support for the legacy v00 cert format has been removed. * The default for the sshd_config(5) PermitRootLogin option has changed from "yes" to "prohibit-password". * PermitRootLogin=without-password/prohibit-password now bans all interactive authentication methods, allowing only public-key, hostbased and GSSAPI authentication (previously it permitted keyboard-interactive and password-less authentication if those were enabled). (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssh-7.1p2-i486-1_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssh-7.1p2-x86_64-1_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssh-7.1p2-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssh-7.1p2-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssh-7.1p2-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssh-7.1p2-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssh-7.1p2-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssh-7.1p2-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssh-7.1p2-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssh-7.1p2-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssh-7.1p2-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssh-7.1p2-x86_64-1.txz MD5 signatures: +-------------+ Slackware 13.0 package: 856dd9c1b10641c282f30a34b7b63bea openssh-7.1p2-i486-1_slack13.0.txz Slackware x86_64 13.0 package: 80903b0829f0284d007e7a316f2ff2da openssh-7.1p2-x86_64-1_slack13.0.txz Slackware 13.1 package: 2095d1a304a94bab44993fdb7e0781c8 openssh-7.1p2-i486-1_slack13.1.txz Slackware x86_64 13.1 package: 5bf653d7f5b4a9426ff2c5888af99f00 openssh-7.1p2-x86_64-1_slack13.1.txz Slackware 13.37 package: 53e09b4371c045b9de1c86e0826324f9 openssh-7.1p2-i486-1_slack13.37.txz Slackware x86_64 13.37 package: cd0319ff3c574c50612d5ba2b38f2fdc openssh-7.1p2-x86_64-1_slack13.37.txz Slackware 14.0 package: 98cdc1d6ffea2a06d0c8013078681bff openssh-7.1p2-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 2093f3e91a79e07f072c702a1704be73 openssh-7.1p2-x86_64-1_slack14.0.txz Slackware 14.1 package: d051d9f31cd380436ad01fa1641be1c7 openssh-7.1p2-i486-1_slack14.1.txz Slackware x86_64 14.1 package: f1f81757431c3c836f06ce5d22e2d5de openssh-7.1p2-x86_64-1_slack14.1.txz Slackware -current package: 70db20c5e4152bc9967b1e24cf91ed98 n/openssh-7.1p2-i586-1.txz Slackware x86_64 -current package: e13dc3da27f817bee693fbb907015817 n/openssh-7.1p2-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg openssh-7.1p2-i486-1_slack14.1.txz Next, restart the sshd daemon: # sh /etc/rc.d/rc.sshd restart Then before logging out, make sure that you still have remote access! See the information about incompatible changes in OpenSSH 7.x above. +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2016-03-21-5 OS X El Capitan 10.11.4 and Security Update 2016-002 OS X El Capitan 10.11.4 and Security Update 2016-002 is now available and addresses the following: apache_mod_php Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3 Impact: Processing a maliciously crafted .png file may lead to arbitrary code execution Description: Multiple vulnerabilities existed in libpng versions prior to 1.6.20. These were addressed by updating libpng to version 1.6.20. CVE-ID CVE-2015-8126 : Adam Mariš CVE-2015-8472 : Adam Mariš AppleRAID Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved input validation. CVE-ID CVE-2016-1733 : Proteas of Qihoo 360 Nirvan Team AppleRAID Available for: OS X El Capitan v10.11 to v10.11.3 Impact: A local user may be able to determine kernel memory layout Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation. CVE-ID CVE-2016-1732 : Proteas of Qihoo 360 Nirvan Team AppleUSBNetworking Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue existed in the parsing of data from USB devices. This issue was addressed through improved input validation. CVE-ID CVE-2016-1734 : Andrea Barisani and Andrej Rosano of Inverse Path Bluetooth Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2016-1735 : Jeonghoon Shin@A.D.D CVE-2016-1736 : beist and ABH of BoB Carbon Available for: OS X El Capitan v10.11 to v10.11.3 Impact: Processing a maliciously crafted .dfont file may lead to arbitrary code execution Description: Multiple memory corruption issues existed in the handling of font files. These issues were addressed through improved bounds checking. CVE-ID CVE-2016-1737 : an anonymous researcher dyld Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An attacker may tamper with code-signed applications to execute arbitrary code in the application's context Description: A code signing verification issue existed in dyld. This issue was addressed with improved validation. CVE-ID CVE-2016-1738 : beist and ABH of BoB FontParser Available for: OS X El Capitan v10.11 to v10.11.3 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling. CVE-ID CVE-2016-1740 : HappilyCoded (ant4g0nist and r3dsm0k3) working with Trend Micro's Zero Day Initiative (ZDI) HTTPProtocol Available for: OS X El Capitan v10.11 to v10.11.3 Impact: A remote attacker may be able to execute arbitrary code Description: Multiple vulnerabilities existed in nghttp2 versions prior to 1.6.0, the most serious of which may have led to remote code execution. These were addressed by updating nghttp2 to version 1.6.0. CVE-ID CVE-2015-8659 Intel Graphics Driver Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2016-1743 : Piotr Bania of Cisco Talos CVE-2016-1744 : Ian Beer of Google Project Zero IOFireWireFamily Available for: OS X El Capitan v10.11 to v10.11.3 Impact: A local user may be able to cause a denial of service Description: A null pointer dereference was addressed through improved validation. CVE-ID CVE-2016-1745 : sweetchip of Grayhash IOGraphics Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved input validation. CVE-ID CVE-2016-1746 : Peter Pi of Trend Micro working with Trend Micro's Zero Day Initiative (ZDI) CVE-2016-1747 : Juwei Lin of Trend Micro working with Trend Micro's Zero Day Initiative (ZDI) IOHIDFamily Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to determine kernel memory layout Description: A memory corruption issue was addressed through improved memory handling. CVE-ID CVE-2016-1748 : Brandon Azad IOUSBFamily Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2016-1749 : Ian Beer of Google Project Zero and Juwei Lin of Trend Micro working with Trend Micro's Zero Day Initiative (ZDI) Kernel Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed through improved memory management. CVE-ID CVE-2016-1750 : CESG Kernel Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A race condition existed during the creation of new processes. This was addressed through improved state handling. CVE-ID CVE-2016-1757 : Ian Beer of Google Project Zero and Pedro Vilaca Kernel Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A null pointer dereference was addressed through improved input validation. CVE-ID CVE-2016-1756 : Lufeng Li of Qihoo 360 Vulcan Team Kernel Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2016-1754 : Lufeng Li of Qihoo 360 Vulcan Team CVE-2016-1755 : Ian Beer of Google Project Zero CVE-2016-1759 : lokihardt Kernel Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to determine kernel memory layout Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation. CVE-ID CVE-2016-1758 : Brandon Azad Kernel Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: Multiple integer overflows were addressed through improved input validation. CVE-ID CVE-2016-1753 : Juwei Lin Trend Micro working with Trend Micro's Zero Day Initiative (ZDI) Kernel Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to cause a denial of service Description: A denial of service issue was addressed through improved validation. CVE-ID CVE-2016-1752 : CESG libxml2 Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3 Impact: Processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2015-1819 CVE-2015-5312 : David Drysdale of Google CVE-2015-7499 CVE-2015-7500 : Kostya Serebryany of Google CVE-2015-7942 : Kostya Serebryany of Google CVE-2015-8035 : gustavo.grieco CVE-2015-8242 : Hugh Davenport CVE-2016-1761 : wol0xff working with Trend Micro's Zero Day Initiative (ZDI) CVE-2016-1762 Messages Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An attacker who is able to bypass Apple's certificate pinning, intercept TLS connections, inject messages, and record encrypted attachment-type messages may be able to read attachments Description: A cryptographic issue was addressed by rejecting duplicate messages on the client. CVE-ID CVE-2016-1788 : Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers, and Michael Rushanan of Johns Hopkins University Messages Available for: OS X El Capitan v10.11 to v10.11.3 Impact: Clicking a JavaScript link can reveal sensitive user information Description: An issue existed in the processing of JavaScript links. This issue was addressed through improved content security policy checks. CVE-ID CVE-2016-1764 : Matthew Bryan of the Uber Security Team (formerly of Bishop Fox), Joe DeMesy and Shubham Shah of Bishop Fox NVIDIA Graphics Drivers Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2016-1741 : Ian Beer of Google Project Zero OpenSSH Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3 Impact: Connecting to a server may leak sensitive user information, such as a client's private keys Description: Roaming, which was on by default in the OpenSSH client, exposed an information leak and a buffer overflow. These issues were addressed by disabling roaming in the client. CVE-ID CVE-2016-0777 : Qualys CVE-2016-0778 : Qualys OpenSSH Available for: OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5 Impact: Multiple vulnerabilities in LibreSSL Description: Multiple vulnerabilities existed in LibreSSL versions prior to 2.1.8. These were addressed by updating LibreSSL to version 2.1.8. CVE-ID CVE-2015-5333 : Qualys CVE-2015-5334 : Qualys OpenSSL Available for: OS X El Capitan v10.11 to v10.11.3 Impact: A remote attacker may be able to cause a denial of service Description: A memory leak existed in OpenSSL versions prior to 0.9.8zh. This issue was addressed by updating OpenSSL to version 0.9.8zh. CVE-ID CVE-2015-3195 Python Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3 Impact: Processing a maliciously crafted .png file may lead to arbitrary code execution Description: Multiple vulnerabilities existed in libpng versions prior to 1.6.20. These were addressed by updating libpng to version 1.6.20. CVE-ID CVE-2014-9495 CVE-2015-0973 CVE-2015-8126 : Adam Mariš CVE-2015-8472 : Adam Mariš QuickTime Available for: OS X El Capitan v10.11 to v10.11.3 Impact: Processing a maliciously crafted FlashPix Bitmap Image may lead to unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2016-1767 : Francis Provencher from COSIG CVE-2016-1768 : Francis Provencher from COSIG QuickTime Available for: OS X El Capitan v10.11 to v10.11.3 Impact: Processing a maliciously crafted Photoshop document may lead to unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2016-1769 : Francis Provencher from COSIG Reminders Available for: OS X El Capitan v10.11 to v10.11.3 Impact: Clicking a tel link can make a call without prompting the user Description: A user was not prompted before invoking a call. This was addressed through improved entitlement checks. CVE-ID CVE-2016-1770 : Guillaume Ross of Rapid7 and Laurent Chouinard of Laurent.ca Ruby Available for: OS X El Capitan v10.11 to v10.11.3 Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution Description: An unsafe tainted string usage vulnerability existed in versions prior to 2.0.0-p648. This issue was addressed by updating to version 2.0.0-p648. CVE-ID CVE-2015-7551 Security Available for: OS X El Capitan v10.11 to v10.11.3 Impact: A local user may be able to check for the existence of arbitrary files Description: A permissions issue existed in code signing tools. This was addressed though additional ownership checks. CVE-ID CVE-2016-1773 : Mark Mentovai of Google Inc. Security Available for: OS X El Capitan v10.11 to v10.11.3 Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution Description: A memory corruption issue existed in the ASN.1 decoder. This issue was addressed through improved input validation. CVE-ID CVE-2016-1950 : Francis Gabriel of Quarkslab Tcl Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11 to v10.11.3 Impact: Processing a maliciously crafted .png file may lead to arbitrary code execution Description: Multiple vulnerabilities existed in libpng versions prior to 1.6.20. These were addressed by removing libpng. CVE-ID CVE-2015-8126 : Adam Mariš TrueTypeScaler Available for: OS X El Capitan v10.11 to v10.11.3 Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2016-1775 : 0x1byte working with Trend Micro's Zero Day Initiative (ZDI) Wi-Fi Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An attacker with a privileged network position may be able to execute arbitrary code Description: A frame validation and memory corruption issue existed for a given ethertype. This issue was addressed through additional ethertype validation and improved memory handling. CVE-ID CVE-2016-0801 : an anonymous researcher CVE-2016-0802 : an anonymous researcher OS X El Capitan 10.11.4 includes the security content of Safari 9.1. https://support.apple.com/kb/HT206171 OS X El Capitan v10.11.4 and Security Update 2016-002 may be obtained from the Mac App Store or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJW8JQFAAoJEBcWfLTuOo7tZSYP/1bHFA1qemkD37uu7nYpk/q6 ARVsPgME1I1+5tOxX0TQJgzMBmdQsKYdsTiLpDk5HTuv+dAMsFfasaUItGk8Sz1w HiYjSfVsxL+Pjz3vK8/4/fsi2lX6472MElRw8gudITOhXtniGcKo/vuA5dB+vM3l Jy1NLHHhZ6BD2t0bBmlz41mZMG3AMxal2wfqE+5LkjUwASzcvC/3B1sh7Fntwyau /71vIgMQ5AaETdgQJAuQivxPyTlFduBRgLjqvPiB9eSK4Ctu5t/hErFIrP2NiDCi UhfZC48XbiRjJfkUsUD/5TIKnI+jkZxOnch9ny32dw2kUIkbIAbqufTkzsMXOpng O+rI93Ni7nfzgI3EkI2bq+C+arOoRiveWuJvc3SMPD5RQHo4NCQVs0ekQJKNHF78 juPnY29n8WMjwLS6Zfm+bH+n8ELIXrmmEscRztK2efa9S7vJe+AgIxx7JE/f8OHF i9K7UQBXFXcpMjXi1aTby/IUnpL5Ny4NVwYwIhctj0Mf6wTH7uf/FMWYIQOXcIfP Izo+GXxNeLd4H2ypZ+UpkZg/Sn2mtCd88wLc96+owlZPBlSqWl3X1wTlp8i5FP2X qlQ7RcTHJDv8jPT/MOfzxEK1n/azp45ahHA0o6nohUdxlA7PLci9vPiJxqKPo/0q VZmOKa8qMxB1L/JmdCqy =mZR+ -----END PGP SIGNATURE----- . Furthermore, a buffer overflow can be exploited by a malicious server, but its exploitation requires non-default options and is mitigated due to another bug. Resolution ========== All OpenSSH users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openssh-7.1_p2" References ========== [ 1 ] CVE-2016-0777 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0777 [ 2 ] CVE-2016-0778 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0778 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201601-01 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. License ======= Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openssh security update Advisory ID: RHSA-2016:0043-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0043.html Issue date: 2016-01-14 CVE Names: CVE-2016-0777 CVE-2016-0778 ===================================================================== 1. Summary: Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. (CVE-2016-0778) Red Hat would like to thank Qualys for reporting these issues. All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Package List: Red Hat Enterprise Linux Client (v. 7): Source: openssh-6.6.1p1-23.el7_2.src.rpm x86_64: openssh-6.6.1p1-23.el7_2.x86_64.rpm openssh-askpass-6.6.1p1-23.el7_2.x86_64.rpm openssh-clients-6.6.1p1-23.el7_2.x86_64.rpm openssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm openssh-keycat-6.6.1p1-23.el7_2.x86_64.rpm openssh-server-6.6.1p1-23.el7_2.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: openssh-debuginfo-6.6.1p1-23.el7_2.i686.rpm openssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm openssh-ldap-6.6.1p1-23.el7_2.x86_64.rpm openssh-server-sysvinit-6.6.1p1-23.el7_2.x86_64.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.i686.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: openssh-6.6.1p1-23.el7_2.src.rpm x86_64: openssh-6.6.1p1-23.el7_2.x86_64.rpm openssh-clients-6.6.1p1-23.el7_2.x86_64.rpm openssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm openssh-keycat-6.6.1p1-23.el7_2.x86_64.rpm openssh-server-6.6.1p1-23.el7_2.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: openssh-askpass-6.6.1p1-23.el7_2.x86_64.rpm openssh-debuginfo-6.6.1p1-23.el7_2.i686.rpm openssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm openssh-ldap-6.6.1p1-23.el7_2.x86_64.rpm openssh-server-sysvinit-6.6.1p1-23.el7_2.x86_64.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.i686.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: openssh-6.6.1p1-23.el7_2.src.rpm ppc64: openssh-6.6.1p1-23.el7_2.ppc64.rpm openssh-askpass-6.6.1p1-23.el7_2.ppc64.rpm openssh-clients-6.6.1p1-23.el7_2.ppc64.rpm openssh-debuginfo-6.6.1p1-23.el7_2.ppc64.rpm openssh-keycat-6.6.1p1-23.el7_2.ppc64.rpm openssh-server-6.6.1p1-23.el7_2.ppc64.rpm ppc64le: openssh-6.6.1p1-23.el7_2.ppc64le.rpm openssh-askpass-6.6.1p1-23.el7_2.ppc64le.rpm openssh-clients-6.6.1p1-23.el7_2.ppc64le.rpm openssh-debuginfo-6.6.1p1-23.el7_2.ppc64le.rpm openssh-keycat-6.6.1p1-23.el7_2.ppc64le.rpm openssh-server-6.6.1p1-23.el7_2.ppc64le.rpm s390x: openssh-6.6.1p1-23.el7_2.s390x.rpm openssh-askpass-6.6.1p1-23.el7_2.s390x.rpm openssh-clients-6.6.1p1-23.el7_2.s390x.rpm openssh-debuginfo-6.6.1p1-23.el7_2.s390x.rpm openssh-keycat-6.6.1p1-23.el7_2.s390x.rpm openssh-server-6.6.1p1-23.el7_2.s390x.rpm x86_64: openssh-6.6.1p1-23.el7_2.x86_64.rpm openssh-askpass-6.6.1p1-23.el7_2.x86_64.rpm openssh-clients-6.6.1p1-23.el7_2.x86_64.rpm openssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm openssh-keycat-6.6.1p1-23.el7_2.x86_64.rpm openssh-server-6.6.1p1-23.el7_2.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: openssh-debuginfo-6.6.1p1-23.el7_2.ppc.rpm openssh-debuginfo-6.6.1p1-23.el7_2.ppc64.rpm openssh-ldap-6.6.1p1-23.el7_2.ppc64.rpm openssh-server-sysvinit-6.6.1p1-23.el7_2.ppc64.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.ppc.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.ppc64.rpm ppc64le: openssh-debuginfo-6.6.1p1-23.el7_2.ppc64le.rpm openssh-ldap-6.6.1p1-23.el7_2.ppc64le.rpm openssh-server-sysvinit-6.6.1p1-23.el7_2.ppc64le.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.ppc64le.rpm s390x: openssh-debuginfo-6.6.1p1-23.el7_2.s390.rpm openssh-debuginfo-6.6.1p1-23.el7_2.s390x.rpm openssh-ldap-6.6.1p1-23.el7_2.s390x.rpm openssh-server-sysvinit-6.6.1p1-23.el7_2.s390x.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.s390.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.s390x.rpm x86_64: openssh-debuginfo-6.6.1p1-23.el7_2.i686.rpm openssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm openssh-ldap-6.6.1p1-23.el7_2.x86_64.rpm openssh-server-sysvinit-6.6.1p1-23.el7_2.x86_64.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.i686.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: openssh-6.6.1p1-23.el7_2.src.rpm x86_64: openssh-6.6.1p1-23.el7_2.x86_64.rpm openssh-askpass-6.6.1p1-23.el7_2.x86_64.rpm openssh-clients-6.6.1p1-23.el7_2.x86_64.rpm openssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm openssh-keycat-6.6.1p1-23.el7_2.x86_64.rpm openssh-server-6.6.1p1-23.el7_2.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: openssh-debuginfo-6.6.1p1-23.el7_2.i686.rpm openssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm openssh-ldap-6.6.1p1-23.el7_2.x86_64.rpm openssh-server-sysvinit-6.6.1p1-23.el7_2.x86_64.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.i686.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-0777 https://access.redhat.com/security/cve/CVE-2016-0778 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/articles/2123781 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWmAWQXlSAg2UNWIIRAh17AJ9SiT1MA1YtOA6ctMp9jIo4e9XrFwCgkbmo nXgYWs8cZcyoTRVoriTGHQo= =1sk9 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

information disclosure

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES