MGASA-2016-0280

Description

Updated openssh packages fix security vulnerability The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable (CVE-2015-8325). When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hard-coded in the SSHD source code. An attacker can measure timing information to determine if a user exists when verifying a password (CVE-2016-6210). The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string (CVE-2016-6515). Note that CVE-2015-8325 and CVE-2016-6210 wouldn't affect most Mageia systems, as UseLogin is not enabled by default and Mageia uses Blowfish password hashes by default.

Affected Systems

• mageia•openssh

  < 6.6p1-5.9.mga5

References (5)

• https://advisories.mageia.org/MGASA-2016-0280.html
• https://bugs.mageia.org/show_bug.cgi?id=18222
• https://www.debian.org/security/2016/dsa-3550
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6210
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/X2L6RW34VFNXYNVVN2CN73YAGJ5VMTFU/