Security update for openssh

SUSE Security Update: Security update for openssh
Announcement ID: SUSE-SU-2015:1581-1
Rating: important
References: #673532 #903649 #905118 #914309 #916549 #932483 #936695 #938746 #943006 #943010 #945493
Affected Products:
  • SUSE Linux Enterprise Server for VMWare 11-SP3
  • SUSE Linux Enterprise Server 11-SP3
  • SUSE Linux Enterprise Desktop 11-SP3
  • SUSE Linux Enterprise Debuginfo 11-SP3

  • An update that solves 5 vulnerabilities and has 6 fixes is now available.

    Description:

    openssh was updated to fix several security issues and bugs.

    These security issues were fixed:
    * CVE-2015-5352: The x11_open_helper function in channels.c in ssh in
    OpenSSH when ForwardX11Trusted mode is not used, lacked a check of the
    refusal deadline for X connections, which made it easier for remote
    attackers to bypass intended access restrictions via a connection outside
    of the permitted time window (bsc#936695).
    * CVE-2015-5600: The kbdint_next_device function in auth2-chall.c in sshd
    in OpenSSH did not properly restrict the processing of
    keyboard-interactive devices within a single connection, which made it
    easier for remote attackers to conduct brute-force attacks or cause a
    denial of service (CPU consumption) via a long and duplicative list in
    the ssh -oKbdInteractiveDevices option, as demonstrated by a modified
    client that provides a different password for each pam element on this
    list (bsc#938746).
    * CVE-2015-4000: Removed and disabled weak DH groups to address LOGJAM
    (bsc#932483).
    * Hardening patch to fix sftp RCE (bsc#903649).
    * CVE-2015-6563: The monitor component in sshd in OpenSSH accepted
    extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which
    allowed local users to conduct impersonation attacks by leveraging any
    SSH login access in conjunction with control of the sshd uid to send a
    crafted MONITOR_REQ_PWNAM request, related to monitor.c and
    monitor_wrap.c.
    * CVE-2015-6564: Use-after-free vulnerability in the
    mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH might
    have allowed local users to gain privileges by leveraging control of the
    sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request.

    These non-security issues were fixed:
    - bsc#914309: sshd inherits oom_adj -17 on SIGHUP causing DoS potential
    for oom_killer.
    - bsc#673532: limits.conf fsize change in SLES10SP3 causing problems to
    WebSphere mqm user.
    - bsc#916549: Fixed support for aesXXX-gcm@openssh.com.

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Server for VMWare 11-SP3:
      zypper in -t patch slessp3-openssh-12096=1
    • SUSE Linux Enterprise Server 11-SP3:
      zypper in -t patch slessp3-openssh-12096=1
    • SUSE Linux Enterprise Desktop 11-SP3:
      zypper in -t patch sledsp3-openssh-12096=1
    • SUSE Linux Enterprise Debuginfo 11-SP3:
      zypper in -t patch dbgsp3-openssh-12096=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Server for VMWare 11-SP3 (i586 x86_64):
      • openssh-6.2p2-0.21.1
      • openssh-askpass-6.2p2-0.21.1
      • openssh-askpass-gnome-6.2p2-0.21.3
    • SUSE Linux Enterprise Server 11-SP3 (i586 ia64 ppc64 s390x x86_64):
      • openssh-6.2p2-0.21.1
      • openssh-askpass-6.2p2-0.21.1
      • openssh-askpass-gnome-6.2p2-0.21.3
    • SUSE Linux Enterprise Desktop 11-SP3 (i586 x86_64):
      • openssh-6.2p2-0.21.1
      • openssh-askpass-6.2p2-0.21.1
      • openssh-askpass-gnome-6.2p2-0.21.3
    • SUSE Linux Enterprise Debuginfo 11-SP3 (i586 ia64 ppc64 s390x x86_64):
      • openssh-askpass-gnome-debuginfo-6.2p2-0.21.3
      • openssh-debuginfo-6.2p2-0.21.1
      • openssh-debugsource-6.2p2-0.21.1

    References: