Red Hat: 2015:0425-02: openssh: Moderate Advisory
Summary
OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These
packages include the core files necessary for both the OpenSSH client and
server.
It was discovered that OpenSSH clients did not correctly verify DNS SSHFP
records. A malicious server could use this flaw to force a connecting
client to skip the DNS SSHFP record check and require the user to perform
manual host verification of the DNS SSHFP record. (CVE-2014-2653)
It was found that when OpenSSH was used in a Kerberos environment, remote
authenticated users were allowed to log in as a different user if they were
listed in the ~/.k5users file of that user, potentially bypassing intended
authentication restrictions. (CVE-2014-9278)
The openssh packages have been upgraded to upstream version 6.6.1, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#1059667)
Bug fixes:
* An existing /dev/log socket is needed when logging using the syslog
utility, which is not possible for all chroot environments based on the
user's home directories. As a consequence, the sftp commands were not
logged in the chroot setup without /dev/log in the internal sftp subsystem.
With this update, openssh has been enhanced to detect whether /dev/log
exists. If /dev/log does not exist, processes in the chroot environment use
their master processes for logging. (BZ#1083482)
* The buffer size for a host name was limited to 64 bytes. As a
consequence, when a host name was 64 bytes long or longer, the ssh-keygen
utility failed. The buffer size has been increased to fix this bug, and
ssh-keygen no longer fails in the described situation. (BZ#1097665)
* Non-ASCII characters have been replaced by their octal representations in
banner messages in order to prevent terminal re-programming attacks.
Consequently, banners containing UTF-8 strings were not correctly displayed
in a client. With this update, banner messages are processed according to
RFC 3454, control characters have been removed, and banners containing
UTF-8 strings are now displayed correctly. (BZ#1104662)
* Red Hat Enterprise Linux uses persistent Kerberos credential caches,
which are shared between sessions. Previously, the GSSAPICleanupCredentials
option was set to "yes" by default. Consequently, removing a Kerberos cache
on logout could remove unrelated credentials of other sessions, which could
make the system unusable. To fix this bug, GSSAPICleanupCredentials is set
by default to "no". (BZ#1134447)
* Access permissions for the /etc/ssh/moduli file were set to 0600, which
was unnecessarily strict. With this update, the permissions for
/etc/ssh/moduli have been changed to 0644 to make the access to the file
easier. (BZ#1134448)
* Due to the KRB5CCNAME variable being truncated, the Kerberos ticket cache
was not found after login using a Kerberos-enabled SSH connection. The
underlying source code has been modified to fix this bug, and Kerberos
authentication works as expected in the described situation. (BZ#1161173)
Enhancements:
* When the sshd daemon is configured to force the internal SFTP session, a
connection other then SFTP is used, the appropriate message is logged to
the /var/log/secure file. (BZ#1130198)
* The sshd-keygen service was run using the
"ExecStartPre=-/usr/sbin/sshd-keygen" option in the sshd.service unit file.
With this update, the separate sshd-keygen.service unit file has been
added, and sshd.service has been adjusted to require sshd-keygen.service.
(BZ#1134997)
Users of openssh are advised to upgrade to these updated packages, which
correct these issues and add these enhancements.
Summary
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2014-2653 https://access.redhat.com/security/cve/CVE-2014-9278 https://access.redhat.com/security/updates/classification/#moderate
Package List
Red Hat Enterprise Linux Client (v. 7):
Source:
openssh-6.6.1p1-11.el7.src.rpm
x86_64:
openssh-6.6.1p1-11.el7.x86_64.rpm
openssh-askpass-6.6.1p1-11.el7.x86_64.rpm
openssh-clients-6.6.1p1-11.el7.x86_64.rpm
openssh-debuginfo-6.6.1p1-11.el7.x86_64.rpm
openssh-keycat-6.6.1p1-11.el7.x86_64.rpm
openssh-server-6.6.1p1-11.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
openssh-debuginfo-6.6.1p1-11.el7.i686.rpm
openssh-debuginfo-6.6.1p1-11.el7.x86_64.rpm
openssh-ldap-6.6.1p1-11.el7.x86_64.rpm
openssh-server-sysvinit-6.6.1p1-11.el7.x86_64.rpm
pam_ssh_agent_auth-0.9.3-9.11.el7.i686.rpm
pam_ssh_agent_auth-0.9.3-9.11.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
openssh-6.6.1p1-11.el7.src.rpm
x86_64:
openssh-6.6.1p1-11.el7.x86_64.rpm
openssh-clients-6.6.1p1-11.el7.x86_64.rpm
openssh-debuginfo-6.6.1p1-11.el7.x86_64.rpm
openssh-keycat-6.6.1p1-11.el7.x86_64.rpm
openssh-server-6.6.1p1-11.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
openssh-askpass-6.6.1p1-11.el7.x86_64.rpm
openssh-debuginfo-6.6.1p1-11.el7.i686.rpm
openssh-debuginfo-6.6.1p1-11.el7.x86_64.rpm
openssh-ldap-6.6.1p1-11.el7.x86_64.rpm
openssh-server-sysvinit-6.6.1p1-11.el7.x86_64.rpm
pam_ssh_agent_auth-0.9.3-9.11.el7.i686.rpm
pam_ssh_agent_auth-0.9.3-9.11.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
openssh-6.6.1p1-11.el7.src.rpm
ppc64:
openssh-6.6.1p1-11.el7.ppc64.rpm
openssh-askpass-6.6.1p1-11.el7.ppc64.rpm
openssh-clients-6.6.1p1-11.el7.ppc64.rpm
openssh-debuginfo-6.6.1p1-11.el7.ppc64.rpm
openssh-keycat-6.6.1p1-11.el7.ppc64.rpm
openssh-server-6.6.1p1-11.el7.ppc64.rpm
s390x:
openssh-6.6.1p1-11.el7.s390x.rpm
openssh-askpass-6.6.1p1-11.el7.s390x.rpm
openssh-clients-6.6.1p1-11.el7.s390x.rpm
openssh-debuginfo-6.6.1p1-11.el7.s390x.rpm
openssh-keycat-6.6.1p1-11.el7.s390x.rpm
openssh-server-6.6.1p1-11.el7.s390x.rpm
x86_64:
openssh-6.6.1p1-11.el7.x86_64.rpm
openssh-askpass-6.6.1p1-11.el7.x86_64.rpm
openssh-clients-6.6.1p1-11.el7.x86_64.rpm
openssh-debuginfo-6.6.1p1-11.el7.x86_64.rpm
openssh-keycat-6.6.1p1-11.el7.x86_64.rpm
openssh-server-6.6.1p1-11.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64:
openssh-debuginfo-6.6.1p1-11.el7.ppc.rpm
openssh-debuginfo-6.6.1p1-11.el7.ppc64.rpm
openssh-ldap-6.6.1p1-11.el7.ppc64.rpm
openssh-server-sysvinit-6.6.1p1-11.el7.ppc64.rpm
pam_ssh_agent_auth-0.9.3-9.11.el7.ppc.rpm
pam_ssh_agent_auth-0.9.3-9.11.el7.ppc64.rpm
s390x:
openssh-debuginfo-6.6.1p1-11.el7.s390.rpm
openssh-debuginfo-6.6.1p1-11.el7.s390x.rpm
openssh-ldap-6.6.1p1-11.el7.s390x.rpm
openssh-server-sysvinit-6.6.1p1-11.el7.s390x.rpm
pam_ssh_agent_auth-0.9.3-9.11.el7.s390.rpm
pam_ssh_agent_auth-0.9.3-9.11.el7.s390x.rpm
x86_64:
openssh-debuginfo-6.6.1p1-11.el7.i686.rpm
openssh-debuginfo-6.6.1p1-11.el7.x86_64.rpm
openssh-ldap-6.6.1p1-11.el7.x86_64.rpm
openssh-server-sysvinit-6.6.1p1-11.el7.x86_64.rpm
pam_ssh_agent_auth-0.9.3-9.11.el7.i686.rpm
pam_ssh_agent_auth-0.9.3-9.11.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
openssh-6.6.1p1-11.el7.src.rpm
x86_64:
openssh-6.6.1p1-11.el7.x86_64.rpm
openssh-askpass-6.6.1p1-11.el7.x86_64.rpm
openssh-clients-6.6.1p1-11.el7.x86_64.rpm
openssh-debuginfo-6.6.1p1-11.el7.x86_64.rpm
openssh-keycat-6.6.1p1-11.el7.x86_64.rpm
openssh-server-6.6.1p1-11.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
openssh-debuginfo-6.6.1p1-11.el7.i686.rpm
openssh-debuginfo-6.6.1p1-11.el7.x86_64.rpm
openssh-ldap-6.6.1p1-11.el7.x86_64.rpm
openssh-server-sysvinit-6.6.1p1-11.el7.x86_64.rpm
pam_ssh_agent_auth-0.9.3-9.11.el7.i686.rpm
pam_ssh_agent_auth-0.9.3-9.11.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
Updated openssh packages that fix two security issues, several bugs, andadd various enhancements are now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having Moderate securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.
Topic
Relevant Releases Architectures
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
Bugs Fixed
912792 - ssh client showing Connection closed by UNKNOWN after timeout at password prompt
1071967 - Inconsistent error message when generating keys in FIPS mode
1081338 - CVE-2014-2653 openssh: failure to check DNS SSHFP records in certain scenarios
1084079 - sftp / symlink does not create relative links
1097665 - ssh-keygen with error : gethostname: File name too long
1102288 - AuthorizedKeysCommand does not work under the Match section
1134997 - sshd.service shouldn't call /usr/sbin/sshd-keygen directly using ExecStartPre
1143867 - sshd fails to start in FIPS mode due to ED25519 key generation
1153011 - sshd requires that .k5login exists even if krb5_kuserok() returns TRUE
1155626 - KerberosUseKuserok default changed from "yes" to "no"
1161173 - sshd sets KRB5CCNAME environment variable with a truncated value
1162620 - fatal: monitor_read: unsupported request: 82 on server while attempting GSSAPI key exchange
1169843 - CVE-2014-9278 openssh: ~/.k5users unexpectedly grants remote login
