[BSA-095] Security Update for openssh

To: debian-backports-announce@lists.debian.org
Subject: [BSA-095] Security Update for openssh
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 30 Apr 2014 11:16:12 +0100
Message-id: <[🔎] 20140430101612.GA24032@riva.ucam.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Colin Watson uploaded new packages for openssh which fixed the following
security problems:

CVE-2014-2532 (DSA-2894-1)
  Jann Horn discovered that OpenSSH incorrectly handled wildcards in
  AcceptEnv lines.  A remote attacker could use this issue to trick
  OpenSSH into accepting any environment variable that contains the
  characters before the wildcard character.

  https://security-tracker.debian.org/tracker/CVE-2014-2532

CVE-2014-2653 (DSA-2894-1)
  Matthew Vernon reported that if a SSH server offers a HostCertificate
  that the ssh client doesn't accept, then the client doesn't check the
  DNS for SSHFP records.  As a consequence a malicious server can
  disable SSHFP-checking by presenting a certificate.

  Note that a host verification prompt is still displayed before
  connecting.

  https://security-tracker.debian.org/tracker/CVE-2014-2653

For the wheezy-backports distribution, these problems have been fixed in
version 1:6.6p1-4~bpo70+1.

For the oldstable distribution (squeeze), these problems have been fixed
in version 1:5.5p1-6+squeeze5.

For the stable distribution (wheezy), these problems have been fixed in
version 1:6.0p1-4+deb7u1.

For the testing (jessie) and unstable (sid) distributions, these
problems have been fixed in version 1:6.6p1-1.

- -- 
Colin Watson                                       [cjwatson@debian.org]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBU2DNbDk1h9l9hlALAQjKlBAAlEGfgTEeivjw3ZSA6Q9XzqoV3I31TnNh
X6vGgnz8LRv/JdmDgG/FFMGO/TTlcCHaN+K2lDd9Db7RCKm/UQAyaybVhir+ApIp
R4EEWYxc8kG7jCulY9Que51g3f+QUOUWDKHY1/q/qZ3K63hVw28fME5lbaZXVSnt
Z+SmDrRo/Gok12qr+Qo1g2W3MBbYxdLpOAJ1vKYfPx8UYY9+nR4rP/tVcd6/iT7D
HUAVvBOLieMoshkkvt9yRJJAsjnAWIk+0lumjjUm+WP9+dv48AZK3zvBNkZEeElO
Xk1hhvUTqKs+eX5wdrMCtoCC8trCKNCDPT/JO746JlIYKYy0YlE7Vg2olWCGPK/h
QeQCTBTntcOsa3EsRw3QWGhUO0U6W5DQH6vp2FpguoZQUKSqUfMXC4fwgv1epAfC
Dmv8cKNP831AfD8o23Dbt7RnPqinFQzdeNCSXeeWTumGbD8ZeTw2FJuAm5znogXK
A/xtbUYu8AjxP7RHXVLxg770oys/stUk92uYGioSpRg2EKtGpIpaB7UEYd9W1MU4
ZMrANDLFIQ+MQWFcIU9nZECo10m4RCUQZxbMd1ySjKT684x2bzhYvp0db8v/4uAr
P1zO/gU5qCEujD7wVLkaJFDvRTJVdzMDR21FuT7RpzZ35aDBQrmi/DuwvBCJMhhV
Ko+KEPN8T8k=
=xPF5
-----END PGP SIGNATURE-----

Reply to:

Index(es):
- Date
- Thread