Bug#742513: marked as done (If server offers certificate, doesn't fall back to checking SSHFP records (CVE-2014-2653))

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 05 Apr 2014 18:02:07 +0000
with message-id <E1WWUut-0001zK-4X@franck.debian.org>
and subject line Bug#742513: fixed in openssh 1:6.0p1-4+deb7u1
has caused the Debian Bug report #742513,
regarding If server offers certificate, doesn't fall back to checking SSHFP records (CVE-2014-2653)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
742513: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: If server offers certificate, doesn't fall back to checking SSHFP records
• From: Matthew Vernon <mcv21@cam.ac.uk>
• Date: Mon, 24 Mar 2014 16:35:27 +0000
• Message-id: <20140324163527.28623.27785.reportbug@pick.csi.cam.ac.uk>

Package: openssh-client
Version: 1:6.0p1-4
Severity: important
Tags: security upstream

Hi,

I've been looking at handling host keys better, and tripped over this
bug. Essentially, if the server offers a HostCertificate that the
client doesn't accept, then the client doesn't then check for SSHFP
records.

Setup to reproduce:

Server has a HostCertificate, and appropriate SSHFP entries in the DNS. 

Client does /not/ have a @cert-authority entry in known_hosts

What should happen:

Server offers the certificate, client rejects it and then validates
the SSHFP entry, and goes on to connect.

What does happen:

Server offers the certificate, client rejects it and then falls back
to prompting the user.

You can work around this by doing -o 'HostKeyAlgorithms=ssh-rsa', but
that disables certificate checking entirely, so isn't actually a fix.

I think this is a security issue, as host key checking is IMO
important security-wise, but I think "important" is the correct
severity.

Regards,

Matthew

-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-client depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49
ii  dpkg                   1.16.12
ii  libc6                  2.13-38+deb7u1
ii  libedit2               2.11-20080614-5
ii  libgssapi-krb5-2       1.10.1+dfsg-5+deb7u1
ii  libselinux1            2.1.9-5
ii  libssl1.0.0            1.0.1e-2+deb7u4
ii  passwd                 1:4.1.5.1-1
ii  zlib1g                 1:1.2.7.dfsg-13

Versions of packages openssh-client recommends:
ii  openssh-blacklist        0.4.1+nmu1
ii  openssh-blacklist-extra  0.4.1+nmu1
ii  xauth                    1:1.0.7-1

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- Configuration Files:
/etc/ssh/ssh_config changed:
Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no


-- no debconf information

--- End Message ---

--- Begin Message ---

• To: 742513-close@bugs.debian.org
• Subject: Bug#742513: fixed in openssh 1:6.0p1-4+deb7u1
• From: Colin Watson <cjwatson@debian.org>
• Date: Sat, 05 Apr 2014 18:02:07 +0000
• Message-id: <E1WWUut-0001zK-4X@franck.debian.org>

Source: openssh
Source-Version: 1:6.0p1-4+deb7u1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 742513@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 03 Apr 2014 00:05:17 +0100
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source i386 all
Version: 1:6.0p1-4+deb7u1
Distribution: stable-security
Urgency: high
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 742513
Changes: 
 openssh (1:6.0p1-4+deb7u1) stable-security; urgency=high
 .
   * CVE-2014-2532: Disallow invalid characters in environment variable names
     to prevent bypassing AcceptEnv wildcard restrictions.
   * CVE-2014-2653: Attempt SSHFP lookup even if server presents a
     certificate (closes: #742513).
Checksums-Sha1: 
 c29301b88a0b42287196d9226ec8dd7a3ef65a94 2546 openssh_6.0p1-4+deb7u1.dsc
 f691e53ef83417031a2854b8b1b661c9c08e4422 1126034 openssh_6.0p1.orig.tar.gz
 99482673ad9e7bf91e35b9b3dc33201c175f9938 250665 openssh_6.0p1-4+deb7u1.debian.tar.gz
 d9445c880d32720eb8816c41c08d0a8aa482775f 1046342 openssh-client_6.0p1-4+deb7u1_i386.deb
 90d874f067906f0b1868de143ea9810287052063 342718 openssh-server_6.0p1-4+deb7u1_i386.deb
 ffbf200e6712e176d61c20007aac86fe2199abb4 1244 ssh_6.0p1-4+deb7u1_all.deb
 3c28a59246e137b5aa58eb0b4966a5ea21b4984b 89406 ssh-krb5_6.0p1-4+deb7u1_all.deb
 ed2b9a404d3ed7d4be8372c910138ff3a06220e0 97040 ssh-askpass-gnome_6.0p1-4+deb7u1_i386.deb
 49389644b8c39118564b83998cecc48799d7349f 181228 openssh-client-udeb_6.0p1-4+deb7u1_i386.udeb
 2f4fb6c14445e2ba6027a0003af6c3ca5a53ca80 194346 openssh-server-udeb_6.0p1-4+deb7u1_i386.udeb
Checksums-Sha256: 
 1e1760a5f463eefea8f0cb0e2769a73fda6a8814c9cc4c7c7583748fe36dab4f 2546 openssh_6.0p1-4+deb7u1.dsc
 589d48e952d6c017e667873486b5df63222f9133d417d0002bd6429d9bd882de 1126034 openssh_6.0p1.orig.tar.gz
 30a48594c638462418d73399644fb83c463011f26847ffc73253740588511647 250665 openssh_6.0p1-4+deb7u1.debian.tar.gz
 4da98c169fa43fd340b379677d42b65f5b20ff0f2b9da85d254c4c5467d0741d 1046342 openssh-client_6.0p1-4+deb7u1_i386.deb
 ed110509e6fdbbb956579db46a39b2fd05ee98016479b2cc04a6b3d7f317982e 342718 openssh-server_6.0p1-4+deb7u1_i386.deb
 656a17a970aad3898e2098fda3ddb625890882cc8ae166e7b21b9a88b615ba59 1244 ssh_6.0p1-4+deb7u1_all.deb
 444f55a64cb662d32b4afaee6b852962d641dd473326e2a37a348cfbd101fbe4 89406 ssh-krb5_6.0p1-4+deb7u1_all.deb
 b770f505b866048f6df915e6a40d263d2939da9163cd074be8199283832eaf09 97040 ssh-askpass-gnome_6.0p1-4+deb7u1_i386.deb
 1627cdfc64e66493368775a21811e31155201249aa8b10aceb243f650c4cc4f1 181228 openssh-client-udeb_6.0p1-4+deb7u1_i386.udeb
 946bd501a98347092664b9892557061a4d2991f33fd762adac4ed14db92f04b0 194346 openssh-server-udeb_6.0p1-4+deb7u1_i386.udeb
Files: 
 e557e1994c2216f7361448cc9258aa5a 2546 net standard openssh_6.0p1-4+deb7u1.dsc
 3c9347aa67862881c5da3f3b1c08da7b 1126034 net standard openssh_6.0p1.orig.tar.gz
 61f070b4553533e7e32adb9c77b98475 250665 net standard openssh_6.0p1-4+deb7u1.debian.tar.gz
 afd76da5a7f9c4ded8f48eacd8754225 1046342 net standard openssh-client_6.0p1-4+deb7u1_i386.deb
 8ebd11309b27fe734f727e0873e2d9c1 342718 net optional openssh-server_6.0p1-4+deb7u1_i386.deb
 38ca4aa1c65c0002fef941edc3d30a50 1244 net extra ssh_6.0p1-4+deb7u1_all.deb
 a003864e79fdd6ea17af0188f5fbfbe7 89406 oldlibs extra ssh-krb5_6.0p1-4+deb7u1_all.deb
 a55fb38bf65e73bb0b1cfa41f18c453d 97040 gnome optional ssh-askpass-gnome_6.0p1-4+deb7u1_i386.deb
 4aab6a2a7d8ce892b8d293f30111fb70 181228 debian-installer optional openssh-client-udeb_6.0p1-4+deb7u1_i386.udeb
 d3ea30d3b199f72f7ab47dcff4022b1e 194346 debian-installer optional openssh-server-udeb_6.0p1-4+deb7u1_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBUzyZpzk1h9l9hlALAQhb+g/8Cy9JYwe8TkAKR5JAnkGXStPXW9wkZJVB
BMzAIyw6xPja2wz0sCpwXXHVCO+DMzsUAo0ZJ8QAvF/X0Md+QhaXxtXSZoHiU3s7
TOrVSmftenvKUmVcgBiBhqqT98e3rpgpGTL6Uxrihy5LR4oEQ+0XxlVodU55xdq0
N/OXUbl6soSLB4l3L0yPfDuB1p8pZLplzRVLRCGaQzNyrc8u7RUHzZNxnYu+ol4k
Yzp9cFICEYaG0F+ZgICpUXLnvVMbkmKgnPiAv2D70THMJMuwOPhSUV0Td8U6I/5D
VbSyYyhZWm/2kAYByJMSXwCHUbx+UfxOPSwbkC2dRUXifYaLJKBwu2+dNXNexIDX
SXufmIQ9dPjzsDty9RfeMETFCgjXeQsAZdBu5NWZyhU+ZUm+iCx9W1TVx1r7HrKE
Tgprhr1e2XiteIcjq6xO/NT8p6jY2eyWJRJHL/RiZogiwoq/JQOGGcaKSMrMIt1w
QiGTkru9Ud5/QQ3LKFdfyYJsyBTa2yIEshasJ3RZHsxENGg0lEkpmeiDF7o9MbnG
3xtW/6MG4DECYBtIvUn8bUb0GHYtvc0lvqkPGswrZV6YkhwciihfxYwR7Kr53UQA
HMKVf8iafIhfKGprO0oOq9QN2JSv+WtuqPdi+sG6Tmh7aiCQc6Ta7b+5bVHNyf6D
RRg6FLbvbNE=
=Ar4w
-----END PGP SIGNATURE-----

--- End Message ---