[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 288-1] openssh security update

Package        : openssh
Version        : 1:5.5p1-6+squeeze6
CVE ID         : CVE-2015-5352 CVE-2015-5600
Debian Bug     : #790798 #793616

A recent upload of OpenSSH to Debian squeeze-lts fixes two security issues.


    It was reported that when forwarding X11 connections with
    ForwardX11Trusted=no, connections made after ForwardX11Timeout
    (hard-coded value of 1200secs in the Debian squeeze version of
    OpenSSH) expired could be permitted and no longer subject to XSECURITY
    restrictions because of an ineffective timeout check in ssh(1)
    coupled with "fail open" behaviour in the X11 server when clients
    attempted connections with expired credentials. This problem was
    reported by Jann Horn.

    We now reject X11 connections after the hard-coded Xauth cookie
    expiration time of 1200 seconds.


    It was found that OpenSSH would allow an attacker to request a large
    number of keyboard-interactive devices when entering a password,
    which could allow a remote attacker to bypass the MaxAuthTries limit
    defined in the sshd_config file.

    This flaw only affects OpenSSH configurations that have the
    'KbdInteractiveAuthentication' configuration option set to 'yes'. By
    default, this option has the same value as the
    'ChallengeResponseAuthentication' option.

    By default, all versions of Debian have the
    'ChallengeResponseAuthentication' option set to 'no', meaning default
    OpenSSH configurations are not affected by this flaw.

    We now only query each keyboard-interactive device once per
    authentication request regardless of how many times it is listed.


mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

Attachment: signature.asc
Description: Digital signature

Reply to: