Bug#742513: marked as done (If server offers certificate, doesn't fall back to checking SSHFP records (CVE-2014-2653))

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 05 Apr 2014 19:02:32 +0000
with message-id <E1WWVrM-0000Ux-8U@franck.debian.org>
and subject line Bug#742513: fixed in openssh 1:5.5p1-6+squeeze5
has caused the Debian Bug report #742513,
regarding If server offers certificate, doesn't fall back to checking SSHFP records (CVE-2014-2653)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
742513: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: If server offers certificate, doesn't fall back to checking SSHFP records
• From: Matthew Vernon <mcv21@cam.ac.uk>
• Date: Mon, 24 Mar 2014 16:35:27 +0000
• Message-id: <20140324163527.28623.27785.reportbug@pick.csi.cam.ac.uk>

Package: openssh-client
Version: 1:6.0p1-4
Severity: important
Tags: security upstream

Hi,

I've been looking at handling host keys better, and tripped over this
bug. Essentially, if the server offers a HostCertificate that the
client doesn't accept, then the client doesn't then check for SSHFP
records.

Setup to reproduce:

Server has a HostCertificate, and appropriate SSHFP entries in the DNS. 

Client does /not/ have a @cert-authority entry in known_hosts

What should happen:

Server offers the certificate, client rejects it and then validates
the SSHFP entry, and goes on to connect.

What does happen:

Server offers the certificate, client rejects it and then falls back
to prompting the user.

You can work around this by doing -o 'HostKeyAlgorithms=ssh-rsa', but
that disables certificate checking entirely, so isn't actually a fix.

I think this is a security issue, as host key checking is IMO
important security-wise, but I think "important" is the correct
severity.

Regards,

Matthew

-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-client depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49
ii  dpkg                   1.16.12
ii  libc6                  2.13-38+deb7u1
ii  libedit2               2.11-20080614-5
ii  libgssapi-krb5-2       1.10.1+dfsg-5+deb7u1
ii  libselinux1            2.1.9-5
ii  libssl1.0.0            1.0.1e-2+deb7u4
ii  passwd                 1:4.1.5.1-1
ii  zlib1g                 1:1.2.7.dfsg-13

Versions of packages openssh-client recommends:
ii  openssh-blacklist        0.4.1+nmu1
ii  openssh-blacklist-extra  0.4.1+nmu1
ii  xauth                    1:1.0.7-1

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- Configuration Files:
/etc/ssh/ssh_config changed:
Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no


-- no debconf information

--- End Message ---

--- Begin Message ---

• To: 742513-close@bugs.debian.org
• Subject: Bug#742513: fixed in openssh 1:5.5p1-6+squeeze5
• From: Colin Watson <cjwatson@debian.org>
• Date: Sat, 05 Apr 2014 19:02:32 +0000
• Message-id: <E1WWVrM-0000Ux-8U@franck.debian.org>

Source: openssh
Source-Version: 1:5.5p1-6+squeeze5

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 742513@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 03 Apr 2014 01:05:27 +0100
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source i386 all
Version: 1:5.5p1-6+squeeze5
Distribution: oldstable-security
Urgency: high
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 742513
Changes: 
 openssh (1:5.5p1-6+squeeze5) oldstable-security; urgency=high
 .
   * CVE-2014-2532: Disallow invalid characters in environment variable names
     to prevent bypassing AcceptEnv wildcard restrictions.
   * CVE-2014-2653: Attempt SSHFP lookup even if server presents a
     certificate (closes: #742513).
Checksums-Sha1: 
 1e77c9722cd167691e7d3f4f3bd1cc7b9d6af136 2270 openssh_5.5p1-6+squeeze5.dsc
 361c6335e74809b26ea096b34062ba8ff6c97cd6 1097574 openssh_5.5p1.orig.tar.gz
 d5bdd108f77da5b01cdbbde3d2a5c133fb836d92 241749 openssh_5.5p1-6+squeeze5.debian.tar.gz
 57435eaffa96fae25354c403d9a3050f98f38dd8 883550 openssh-client_5.5p1-6+squeeze5_i386.deb
 63a60365d96212a54bcb60ead6860a85f9095054 298704 openssh-server_5.5p1-6+squeeze5_i386.deb
 e309007e598514044625994cefecf8b1509888f5 1248 ssh_5.5p1-6+squeeze5_all.deb
 24c04bd768c528f49bcfd00739f5bcb2eb22e6b1 96110 ssh-krb5_5.5p1-6+squeeze5_all.deb
 d5c800a5de27008b69120a8905042cf0a08d9a68 103936 ssh-askpass-gnome_5.5p1-6+squeeze5_i386.deb
 911c80d2e57cf46d11c50181f21a87d8f7c471e9 194852 openssh-client-udeb_5.5p1-6+squeeze5_i386.udeb
 71a02ade8f0f09826d6a5ecfdf38b25021290851 218666 openssh-server-udeb_5.5p1-6+squeeze5_i386.udeb
Checksums-Sha256: 
 26a23612902d7134bd8d7ee42c3b5842d30928dd35089fb44a0ba159bd480920 2270 openssh_5.5p1-6+squeeze5.dsc
 36eedd6efe6663186ed23573488670f9b02e34744694e94a9f869b6f25e47e8a 1097574 openssh_5.5p1.orig.tar.gz
 b63c74eb945eaa22e1fcf2a2bfffda271d2c0f086e8a94231320ecfd66e8abc2 241749 openssh_5.5p1-6+squeeze5.debian.tar.gz
 e1a0a0748d7976e452fcd1d38db176bdb0bfc09c59166a405056e8d3799140ef 883550 openssh-client_5.5p1-6+squeeze5_i386.deb
 86324c912df037f2496869849eef3ce353cf4ebec80fdf7342e7f94c93119bcd 298704 openssh-server_5.5p1-6+squeeze5_i386.deb
 a545e13d7be0b6d3765828f40fa862b01a8873d091b9431b34b7f25267b7fd28 1248 ssh_5.5p1-6+squeeze5_all.deb
 9b836bfea8493fdf241ceb5e79ae64d4b55cc0328cf711020b74d46629f64df3 96110 ssh-krb5_5.5p1-6+squeeze5_all.deb
 b7aa0276cb96aa15da1fb0ad3c89eee001bd06f86179134ea4cf2f4b5231d41e 103936 ssh-askpass-gnome_5.5p1-6+squeeze5_i386.deb
 94e56ef409a451cf1d7b305c12a8b82eb7713a16de41da44169f71eeb6c04b0b 194852 openssh-client-udeb_5.5p1-6+squeeze5_i386.udeb
 d2b3e8f2fc7eed0ec674c3bb7acde7102a7cb6235fb6bad50f860d8d0983a1f6 218666 openssh-server-udeb_5.5p1-6+squeeze5_i386.udeb
Files: 
 7735c6c1a4327df923a495700d4ccc10 2270 net standard openssh_5.5p1-6+squeeze5.dsc
 88633408f4cb1eb11ec7e2ec58b519eb 1097574 net standard openssh_5.5p1.orig.tar.gz
 0f3d07d31e509002dc8fca1603b4d35d 241749 net standard openssh_5.5p1-6+squeeze5.debian.tar.gz
 4349a2aae295a3ac29ee3a89553cb608 883550 net standard openssh-client_5.5p1-6+squeeze5_i386.deb
 ead771ecbf265cfc36603daa28507a6f 298704 net optional openssh-server_5.5p1-6+squeeze5_i386.deb
 88becb35e11eba73ba73f3786f328dc0 1248 net extra ssh_5.5p1-6+squeeze5_all.deb
 28324ff443b4c62754f49fb54d9c017c 96110 net extra ssh-krb5_5.5p1-6+squeeze5_all.deb
 e296e474bf66c1dd05f66125ce81b51c 103936 gnome optional ssh-askpass-gnome_5.5p1-6+squeeze5_i386.deb
 a40b1d237a5d845daefcb6394ebb2139 194852 debian-installer optional openssh-client-udeb_5.5p1-6+squeeze5_i386.udeb
 4f1469189e066fdccfa4be325927de86 218666 debian-installer optional openssh-server-udeb_5.5p1-6+squeeze5_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBUzyq9Dk1h9l9hlALAQgAdRAAnJW4mR27q8UnaHp+Hzu8sxnbQzanq5v4
tm2DEvlrWu6RPhyZcSM0QAANRmg6tbEYbbNQOByb2xZXlVKTmwqtezkPNpSibf7T
s1j+t0hTYdp4cT+IIYe/jkvFg153l7qmrnUBxTRnwzQXvriNH8z0cUoPluyGb6Gq
S6zCEAANK/H0C2k10A6BESjqgl1tPXC9BRd35E0lebEgXHijQGCllaQC81DKO72E
BZiNSEfEVuRtEKzgufEM3n9w2NpRFr+IbbIv4hJoEcs9CPmcn1NgIoIN3n8YdMCv
opmNg/hM2C8WWxz7ShDnOm9pvH9n9ag1ttHxKFz0/NS/9haHbfqU2/Hy+oI0TJzN
AYfN22fqUbMWznpf0xoMnKlJMrP3xDyVHRbmecCYfbVnu4apFI4IRMFX0XXwlfjK
f5dbIIqem/EEI3SrDRaU5EsawM2pBE6DInrYpsv80b1v8QYB9cB7xX/RbogAAD1G
Pilqv4PNvmxPluCrRgUJyrB5QT7WyCx3xMOxZfNveQkc7tG0cI/eR3cqF7GaSIh7
Ga6syNmZ9NCktiZZRLXxO943+1ZYq6D4BtH3R0tqzxui529krVGRVthuzVKsTgn2
UVYa4w7UWnB+cwYGdcxIydnCFUDIAPB5j6cTKBBJdAZ7J1/JLXxiOI4lk3jyGExH
E5lTjFfh0w4=
=Vzqh
-----END PGP SIGNATURE-----

--- End Message ---