Bug#742513: marked as done (If server offers certificate, doesn't fall back to checking SSHFP records (CVE-2014-2653))
Your message dated Fri, 28 Mar 2014 21:19:12 +0000
with message-id <E1WTeBE-0000bW-Sl@franck.debian.org>
and subject line Bug#742513: fixed in openssh 1:6.6p1-1
has caused the Debian Bug report #742513,
regarding If server offers certificate, doesn't fall back to checking SSHFP records (CVE-2014-2653)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
742513: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: openssh-client
Version: 1:6.0p1-4
Severity: important
Tags: security upstream
Hi,
I've been looking at handling host keys better, and tripped over this
bug. Essentially, if the server offers a HostCertificate that the
client doesn't accept, then the client doesn't then check for SSHFP
records.
Setup to reproduce:
Server has a HostCertificate, and appropriate SSHFP entries in the DNS.
Client does /not/ have a @cert-authority entry in known_hosts
What should happen:
Server offers the certificate, client rejects it and then validates
the SSHFP entry, and goes on to connect.
What does happen:
Server offers the certificate, client rejects it and then falls back
to prompting the user.
You can work around this by doing -o 'HostKeyAlgorithms=ssh-rsa', but
that disables certificate checking entirely, so isn't actually a fix.
I think this is a security issue, as host key checking is IMO
important security-wise, but I think "important" is the correct
severity.
Regards,
Matthew
-- System Information:
Debian Release: 7.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssh-client depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.49
ii dpkg 1.16.12
ii libc6 2.13-38+deb7u1
ii libedit2 2.11-20080614-5
ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u1
ii libselinux1 2.1.9-5
ii libssl1.0.0 1.0.1e-2+deb7u4
ii passwd 1:4.1.5.1-1
ii zlib1g 1:1.2.7.dfsg-13
Versions of packages openssh-client recommends:
ii openssh-blacklist 0.4.1+nmu1
ii openssh-blacklist-extra 0.4.1+nmu1
ii xauth 1:1.0.7-1
Versions of packages openssh-client suggests:
pn keychain <none>
pn libpam-ssh <none>
pn monkeysphere <none>
pn ssh-askpass <none>
-- Configuration Files:
/etc/ssh/ssh_config changed:
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:6.6p1-1
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742513@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 28 Mar 2014 18:04:41 +0000
Source: openssh
Binary: openssh-client openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source i386 all
Version: 1:6.6p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client - secure shell (SSH) client, for secure access to remote machines
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell (SSH) server, for secure access from remote machines
openssh-server-udeb - secure shell server for the Debian installer (udeb)
openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
ssh-krb5 - secure shell client and server (transitional package)
Closes: 298138 341883 742308 742513 742541
Changes:
openssh (1:6.6p1-1) unstable; urgency=medium
.
[ Colin Watson ]
* Apply various warning-suppression and regression-test fixes to
gssapi.patch from Damien Miller.
* New upstream release (http://www.openssh.com/txt/release-6.6,
LP: #1298280):
- CVE-2014-2532: sshd(8): when using environment passing with an
sshd_config(5) AcceptEnv pattern with a wildcard, OpenSSH prior to 6.6
could be tricked into accepting any environment variable that contains
the characters before the wildcard character.
* Re-enable btmp logging, as its permissions were fixed a long time ago in
response to #370050 (closes: #341883).
* Change to "PermitRootLogin without-password" for new installations, and
ask a debconf question when upgrading systems with "PermitRootLogin yes"
from previous versions (closes: #298138).
* Debconf translations:
- Danish (thanks, Joe Hansen).
- Portuguese (thanks, Américo Monteiro).
- Russian (thanks, Yuri Kozlov; closes: #742308).
- Swedish (thanks, Andreas Rönnquist).
- Japanese (thanks, victory).
- German (thanks, Stephan Beck; closes: #742541).
- Italian (thanks, Beatrice Torracca).
* Don't start ssh-agent from the Upstart user session job if something
like Xsession has already done so (based on work by Bruno Vasselle;
LP: #1244736).
.
[ Matthew Vernon ]
* CVE-2014-2653: Fix failure to check SSHFP records if server presents a
certificate (bug reported by me, patch by upstream's Damien Miller;
thanks also to Mark Wooding for his help in fixing this) (Closes:
#742513)
Checksums-Sha1:
de927b42fcf22bcbcc806d700b03768c8ad3b440 2637 openssh_6.6p1-1.dsc
b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e 1282502 openssh_6.6p1.orig.tar.gz
d3898f85b9799e7eba3936ae2ac277f62878fd2d 141060 openssh_6.6p1-1.debian.tar.xz
ded9dfe4deaaa097c30bb342c79dbaec3e1af4a8 667082 openssh-client_6.6p1-1_i386.deb
fbf8430b0ed184f3b4c626cd7b06963b34475579 320628 openssh-server_6.6p1-1_i386.deb
139d22adeb131eea0845880981e08e31e2bb4a76 35346 openssh-sftp-server_6.6p1-1_i386.deb
bceec92916bc7bb00f1ce959454935ce40d3d038 1116 ssh_6.6p1-1_all.deb
bfc13d9c525c28c209a8424f80264b99fe71772c 104838 ssh-krb5_6.6p1-1_all.deb
d259f0c7e0db419ead89e671b3da8c513bc867e8 112624 ssh-askpass-gnome_6.6p1-1_i386.deb
d65475dac1fdda7eccd2cb07e8993d185d055e75 252820 openssh-client-udeb_6.6p1-1_i386.udeb
255d8241c9298786b20df286e0cb35ded0890348 281614 openssh-server-udeb_6.6p1-1_i386.udeb
Checksums-Sha256:
169b2034b12346730f46931d4a41660ba5d098ad2260fc02b77c59bcef8f21f6 2637 openssh_6.6p1-1.dsc
48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb 1282502 openssh_6.6p1.orig.tar.gz
d288f17c9f49b9b0797654d0c3c73dce91e6c85a106bb5270d3e3b8314dd06f5 141060 openssh_6.6p1-1.debian.tar.xz
c4c6ad9b85473260c38f3494e439c6c1ecaea4dff80156149537cdc88ae7fc89 667082 openssh-client_6.6p1-1_i386.deb
483fe64dcd78670d8831b711b56a7f8f7155e5ccfd2aadd352ec999dd00acb61 320628 openssh-server_6.6p1-1_i386.deb
ad188919c748d90aa93af2799e6073b80c7aa8bb400552e16af89243dbb24555 35346 openssh-sftp-server_6.6p1-1_i386.deb
3e930f5bda22cc3f88bb5512af6ca2010e945507c020a3269cfcb965f87c7848 1116 ssh_6.6p1-1_all.deb
9b7da9036191c4546e5877e17aa5e95435a6542688b98a3e67400f1c2b9d6137 104838 ssh-krb5_6.6p1-1_all.deb
a6ff8787f8c94965b76a4e08d7856e7d2bd6336ea92daf056d17b8ff256c799b 112624 ssh-askpass-gnome_6.6p1-1_i386.deb
43c84b544c56510c5a23ef3900284b6a64cef3fdf7452f81ffdfc6a242f0cb30 252820 openssh-client-udeb_6.6p1-1_i386.udeb
26f4ffc10bd4d589d08fe5df863b69b78f22dcb4ad4a33e14e0807a1e3a57259 281614 openssh-server-udeb_6.6p1-1_i386.udeb
Files:
9edf5c71b6b08bc91003fc0cb99a4717 2637 net standard openssh_6.6p1-1.dsc
3e9800e6bca1fbac0eea4d41baa7f239 1282502 net standard openssh_6.6p1.orig.tar.gz
d1752ee88d1ac2ea0578d130383927ac 141060 net standard openssh_6.6p1-1.debian.tar.xz
b27f2f7244836ad087d20fbf628c033c 667082 net standard openssh-client_6.6p1-1_i386.deb
e6935335fb140c8eff16c2d979e38b55 320628 net optional openssh-server_6.6p1-1_i386.deb
062ac706ed28e2e29d3e50fc293d019e 35346 net optional openssh-sftp-server_6.6p1-1_i386.deb
19fbe25a4f92f9a2b6947e8d4f12ce7e 1116 net extra ssh_6.6p1-1_all.deb
5adc30ce36edeaff1d0336619b84c1a3 104838 oldlibs extra ssh-krb5_6.6p1-1_all.deb
0b0e13dbca528b2f14f559d76362c0cc 112624 gnome optional ssh-askpass-gnome_6.6p1-1_i386.deb
4fe65814c4a59d5b80e3d3414d1aaf35 252820 debian-installer optional openssh-client-udeb_6.6p1-1_i386.udeb
87b3ef5612879df187eff4149a19ea6a 281614 debian-installer optional openssh-server-udeb_6.6p1-1_i386.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iQIVAwUBUzXccTk1h9l9hlALAQj9dg/8Cc2GiibyRv1vsaiGnb+lKyc0h1+Yh69n
vVzYN684ZGWo3deJa2HOhaFOefkFgV/pim/1/rJ3bWzhThfg/BACoEoBq7+bFIPo
78CU+W2fT1sUNZYgMZksH7OXoQ83Kv2YAAbVW4Nto4t94yMWiVxKPeJWLIBM1aD2
FdtTUR+KGVPxl3oc/kZOLRt4GRuPlkFsuPVrSNGVnrrlbme99bNqIrxRvwVWBAK0
IMtwFaDlUd05jaBsqWY2BxApEnM1ziy0+D504MoPgvTCGRU+/AzppBn+OZUqbqaO
r4uWUAYKEDTi5AWeItjfDZbVx5pRt6hnRTvz/LDKj8zhLujYPEEZSIPMdLbQgGZc
EyIhzd5SAaksQ17MetNE/PT0M0sCy35aCx3CmkPqVItv3DUkJX7J/XUhW/4heDdk
x+554Bvs6LNvGkZVUZPDw24AWx62FNBF7UieyuQc7X6ygqNkK0XKWIGSukOjbxec
cbPTVAnTt4eUQSxTcdKoZro8S+zHuPiLB/OVC4hCNzPnHuZ+iVu/ab2oaJo1B1eD
YdjKtcj+vQBksULaYR8bXDwaiMT7RRrwbdxv9ZQzxmD8bl0lYXe+PlUzNhZhk5FQ
lehIcXgb4zBR0iV+rqMrJq12o/eMG10I6OGnCTIumSDCXDBxW2K2DEUoEmldVOAv
azHVlvakGic=
=mz8Q
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: