Security update for openssh

Announcement ID:	SUSE-SU-2016:1386-1
Rating:	moderate
References:	bsc#729190 bsc#932483 bsc#945484 bsc#945493 bsc#947458 bsc#948902 bsc#960414 bsc#961368 bsc#962313 bsc#965576 bsc#970632 bsc#975865
Cross-References:	CVE-2015-8325 CVE-2016-1908 CVE-2016-3115
CVSS scores:	CVE-2015-8325 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-1908 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-1908 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-3115 ( NVD ): 6.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Affected Products:	SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1

An update that solves three vulnerabilities and has nine security fixes can now be installed.

Description:

This update for OpenSSH fixes three security issues.

These security issues were fixed: - CVE-2016-3115: Sanitise input for xauth(1) (bsc#970632) - CVE-2016-1908: Prevent X11 SECURITY circumvention when forwarding X11 connections (bsc#962313) - CVE-2015-8325: Ignore PAM environment when using login (bsc#975865)

These non-security issues were fixed: - Fix help output of sftp (bsc#945493) - Restarting openssh with openssh-fips installed was not working correctly (bsc#945484) - Fix crashes when /proc is not available in the chroot (bsc#947458) - Correctly parse GSSAPI KEX algorithms (bsc#961368) - More verbose FIPS mode/CC related documentation in README.FIPS (bsc#965576, bsc#960414) - Fix PRNG re-seeding (bsc#960414, bsc#729190) - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option (bsc#932483, bsc#948902)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12 SP1
  zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-818=1
• SUSE Linux Enterprise Desktop 12
  zypper in -t patch SUSE-SLE-DESKTOP-12-2016-818=1
• SUSE Linux Enterprise Server 12
  zypper in -t patch SUSE-SLE-SERVER-12-2016-818=1
• SUSE Linux Enterprise Server for SAP Applications 12
  zypper in -t patch SUSE-SLE-SERVER-12-2016-818=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1
  zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-818=1
• SUSE Linux Enterprise Server 12 SP1
  zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-818=1

Package List:

• SUSE Linux Enterprise Desktop 12 SP1 (x86_64)
  • openssh-helpers-6.6p1-42.1
  • openssh-helpers-debuginfo-6.6p1-42.1
  • openssh-6.6p1-42.1
  • openssh-debuginfo-6.6p1-42.1
  • openssh-debugsource-6.6p1-42.1
  • openssh-askpass-gnome-6.6p1-42.1
  • openssh-askpass-gnome-debuginfo-6.6p1-42.1
• SUSE Linux Enterprise Desktop 12 (x86_64)
  • openssh-helpers-6.6p1-42.1
  • openssh-helpers-debuginfo-6.6p1-42.1
  • openssh-6.6p1-42.1
  • openssh-debuginfo-6.6p1-42.1
  • openssh-debugsource-6.6p1-42.1
  • openssh-askpass-gnome-6.6p1-42.1
  • openssh-askpass-gnome-debuginfo-6.6p1-42.1
• SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64)
  • openssh-helpers-6.6p1-42.1
  • openssh-helpers-debuginfo-6.6p1-42.1
  • openssh-6.6p1-42.1
  • openssh-debuginfo-6.6p1-42.1
  • openssh-debugsource-6.6p1-42.1
  • openssh-fips-6.6p1-42.1
  • openssh-askpass-gnome-6.6p1-42.1
  • openssh-askpass-gnome-debuginfo-6.6p1-42.1
• SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
  • openssh-helpers-6.6p1-42.1
  • openssh-helpers-debuginfo-6.6p1-42.1
  • openssh-6.6p1-42.1
  • openssh-debuginfo-6.6p1-42.1
  • openssh-debugsource-6.6p1-42.1
  • openssh-fips-6.6p1-42.1
  • openssh-askpass-gnome-6.6p1-42.1
  • openssh-askpass-gnome-debuginfo-6.6p1-42.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1 (ppc64le x86_64)
  • openssh-helpers-6.6p1-42.1
  • openssh-helpers-debuginfo-6.6p1-42.1
  • openssh-6.6p1-42.1
  • openssh-debuginfo-6.6p1-42.1
  • openssh-debugsource-6.6p1-42.1
  • openssh-fips-6.6p1-42.1
  • openssh-askpass-gnome-6.6p1-42.1
  • openssh-askpass-gnome-debuginfo-6.6p1-42.1
• SUSE Linux Enterprise Server 12 SP1 (ppc64le s390x x86_64)
  • openssh-helpers-6.6p1-42.1
  • openssh-helpers-debuginfo-6.6p1-42.1
  • openssh-6.6p1-42.1
  • openssh-debuginfo-6.6p1-42.1
  • openssh-debugsource-6.6p1-42.1
  • openssh-fips-6.6p1-42.1
  • openssh-askpass-gnome-6.6p1-42.1
  • openssh-askpass-gnome-debuginfo-6.6p1-42.1

References:

• https://www.suse.com/security/cve/CVE-2015-8325.html
• https://www.suse.com/security/cve/CVE-2016-1908.html
• https://www.suse.com/security/cve/CVE-2016-3115.html
• https://bugzilla.suse.com/show_bug.cgi?id=729190
• https://bugzilla.suse.com/show_bug.cgi?id=932483
• https://bugzilla.suse.com/show_bug.cgi?id=945484
• https://bugzilla.suse.com/show_bug.cgi?id=945493
• https://bugzilla.suse.com/show_bug.cgi?id=947458
• https://bugzilla.suse.com/show_bug.cgi?id=948902
• https://bugzilla.suse.com/show_bug.cgi?id=960414
• https://bugzilla.suse.com/show_bug.cgi?id=961368
• https://bugzilla.suse.com/show_bug.cgi?id=962313
• https://bugzilla.suse.com/show_bug.cgi?id=965576
• https://bugzilla.suse.com/show_bug.cgi?id=970632
• https://bugzilla.suse.com/show_bug.cgi?id=975865