[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#407754: marked as done (openssh-server: GSSAPICleanupCredentials doesn't, unless PrivilegeSeparation is enabled)

Your message dated Sun, 02 Apr 2017 03:04:01 +0000
with message-id <E1cuVo9-00069c-Ns@fasolo.debian.org>
and subject line Bug#407754: fixed in openssh 1:7.5p1-1
has caused the Debian Bug report #407754,
regarding openssh-server: GSSAPICleanupCredentials doesn't, unless PrivilegeSeparation is enabled
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
407754: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=407754
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-server
Version: 4.3p2-8

It seems that GSSAPI credentials are not cleaned up unless 
PrivilegeSeparation is enabled. I prefer to keep that off so that I can 
use pam_krb5 keyboard-interactive authentication when I don't already 
have keys. Unfortunately if I do, /tmp quickly fills with old 
credential caches.

--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:7.5p1-1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 407754@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 02 Apr 2017 02:58:01 +0100
Source: openssh
Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.5p1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 407754
Changes:
 openssh (1:7.5p1-1) experimental; urgency=medium
 .
   * New upstream release (https://www.openssh.com/txt/release-7.5):
     - SECURITY: ssh(1), sshd(8): Fix weakness in CBC padding oracle
       countermeasures that allowed a variant of the attack fixed in OpenSSH
       7.3 to proceed.  Note that the OpenSSH client disables CBC ciphers by
       default, sshd offers them as lowest-preference options and will remove
       them by default entirely in the next release.
     - This release deprecates the sshd_config UsePrivilegeSeparation option,
       thereby making privilege separation mandatory (closes: #407754).
     - The format of several log messages emitted by the packet code has
       changed to include additional information about the user and their
       authentication state.  Software that monitors ssh/sshd logs may need
       to account for these changes.
     - ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
       algorithm lists, e.g. Ciphers=-*cbc.
     - sshd(1): Fix NULL dereference crash when key exchange start messages
       are sent out of sequence.
     - ssh(1), sshd(8): Allow form-feed characters to appear in configuration
       files.
     - sshd(8): Fix regression in OpenSSH 7.4 support for the server-sig-algs
       extension, where SHA2 RSA signature methods were not being correctly
       advertised.
     - ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
       known_hosts processing.
     - ssh(1): Allow ssh to use certificates accompanied by a private key
       file but no corresponding plain *.pub public key.
     - ssh(1): When updating hostkeys using the UpdateHostKeys option, accept
       RSA keys if HostkeyAlgorithms contains any RSA keytype.  Previously,
       ssh could ignore RSA keys when only the ssh-rsa-sha2-* methods were
       enabled in HostkeyAlgorithms and not the old ssh-rsa method.
     - ssh(1): Detect and report excessively long configuration file lines.
     - Merge a number of fixes found by Coverity and reported via Redhat and
       FreeBSD.  Includes fixes for some memory and file descriptor leaks in
       error paths.
     - ssh(1), sshd(8): When logging long messages to stderr, don't truncate
       "\r\n" if the length of the message exceeds the buffer.
     - ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
       line; avoid confusion over IPv6 addresses and shells that treat square
       bracket characters specially.
     - Fix various fallout and sharp edges caused by removing SSH protocol 1
       support from the server, including the server banner string being
       incorrectly terminated with only \n (instead of \r\n), confusing error
       messages from ssh-keyscan, and a segfault in sshd if protocol v.1 was
       enabled for the client and sshd_config contained references to legacy
       keys.
     - ssh(1), sshd(8): Free fd_set on connection timeout.
     - sftp(1): Fix division by zero crash in "df" output when server returns
       zero total filesystem blocks/inodes.
     - ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
       encountered during key loading to more meaningful error codes.
     - ssh-keygen(1): Sanitise escape sequences in key comments sent to
       printf but preserve valid UTF-8 when the locale supports it.
     - ssh(1), sshd(8): Return reason for port forwarding failures where
       feasible rather than always "administratively prohibited".
     - sshd(8): Fix deadlock when AuthorizedKeysCommand or
       AuthorizedPrincipalsCommand produces a lot of output and a key is
       matched early.
     - ssh(1): Fix typo in ~C error message for bad port forward
       cancellation.
     - ssh(1): Show a useful error message when included config files can't
       be opened.
     - sshd_config(5): Repair accidentally-deleted mention of %k token in
       AuthorizedKeysCommand.
     - sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM.
     - ssh-agent(1): Relax PKCS#11 whitelist to include libexec and common
       32-bit compatibility library directories.
     - sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
       response handling.
     - ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted keys.
       It was not possible to delete them except by specifying their full
       physical path.
     - sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA
       crypto coprocessor.
     - sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg
       inspection.
     - ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that
       contain non-printable characters where the codeset in use is ASCII.
Checksums-Sha1:
 ddce7153910c7aeb43d48a47a4d18ec40fad1099 2956 openssh_7.5p1-1.dsc
 5e8f185d00afb4f4f89801e9b0f8b9cee9d87ebd 1510857 openssh_7.5p1.orig.tar.gz
 88420027705762e4d7c4e1a144b7b37775fa318f 157812 openssh_7.5p1-1.debian.tar.xz
 063371cf5f4f563b4b1285565d6ea30af44c89ba 13616 openssh_7.5p1-1_source.buildinfo
Checksums-Sha256:
 eec9cbf9c0a4bc6c112c84253421764bccc8770d201fdca49296f7a5689d7f24 2956 openssh_7.5p1-1.dsc
 9846e3c5fab9f0547400b4d2c017992f914222b3fd1f8eee6c7dc6bc5e59f9f0 1510857 openssh_7.5p1.orig.tar.gz
 0e4f0eb5ca2b13322714df84d1a1a89b607fb2ffee2a351e323b8de762912846 157812 openssh_7.5p1-1.debian.tar.xz
 b8cf2538e18470f2831d04240b5932d4f6b3c63c31616f83ef635cf9a2c120f5 13616 openssh_7.5p1-1_source.buildinfo
Files:
 d83d6a57d0cfcc923b20a3a7527c2b0b 2956 net standard openssh_7.5p1-1.dsc
 652fdc7d8392f112bef11cacf7e69e23 1510857 net standard openssh_7.5p1.orig.tar.gz
 a3e04ea3ff23c40617c5f286525017a8 157812 net standard openssh_7.5p1-1.debian.tar.xz
 88f2b0df582f39aa0fc40e4d0cd360ba 13616 net standard openssh_7.5p1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAljgZHAACgkQOTWH2X2G
UAu+/BAAmR59fYtRWBdNS+LHr6Ckp0fuTfBC3jJFhLjz1DUwzudevgNEFsh0ieml
1pu6fbYspcd1QLXbNneJnm5IcW6w30R0BuF6Q68h7Ca305R4BeofJIO/mGhmyILS
B9/rSfF86Hs5NBKJKyBUd5zcjvZ8kvYWoaTxSPXJzQON8lcpIJhBp6/Rw0UatlAi
udRdlrFBfjt8f1AZvY8JU1cY6Qt3ryjoLU2YU+8nR9B4iz+RBP5rZhNTde4lYv5a
nTmlGGZgRItJF9Iz/4JTy7XlV5JA+k4Ss1ThgL/5Gwqdm8sqtwwboxd1fxvITcJN
DtfNk5tA5DdJV7d4NgnWozQex54L2hFNUcNORYnIjPnh7d+B7vLeR0221gcn7cTd
CGj0DZ7KgW8zg6dT5qya+ms9NTACZ5rxY0aWmJ01vo/3PDTuQ9YhHqMWXD8lvACB
RNhhm/VzDLVVCWIkTAMdOYTsgVeAmBidGE87VVD5QiWp2nYW7j1ZED64HmbY6uy9
xFYPvZrxiopz5KW38ti9PkaQ2+GwsUlpIALhzZ3xIIxpEtN++Wfpiu3RyhS7d06L
7LoDi21RjYU5NO/PkoP0isudlyM1lAZKZ+QDhKHUQSfifH7YdfDKIC2EVNmp5GdN
bM3x+7bV9GOeyYR9lXzNAvdsVK4M3gA97TeNwp+8WkgX6Zj8YG4=
=ReDu
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: