1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3550-1] openssh security update

    From Moritz Muehlenhoff@1:229/2 to All on Fri Apr 15 19:20:03 2016
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3550-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff
    April 15, 2016 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : openssh
    CVE ID : CVE-2015-8325

    Shayan Sadigh discovered a vulnerability in OpenSSH: If PAM support is
    enabled and the sshd PAM configuration is configured to read user-
    specified environment variables and the "UseLogin" option is enabled, a
    local user may escalate her privileges to root.

    In Debian "UseLogin" is not enabled by default.

    For the oldstable distribution (wheezy), this problem has been fixed
    in version 6.0p1-4+deb7u4.

    For the stable distribution (jessie), this problem has been fixed in
    version 6.7p1-5+deb8u2.

    For the unstable distribution (sid), this problem has been fixed in
    version 1:7.2p2-3.

    We recommend that you upgrade your openssh packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2

    iQIcBAEBCAAGBQJXER/aAAoJEBDCk7bDfE42NewQAI+mY4sv/x7S9hBMTqozVfKs 9G2H2qAfE23PIs3a/IPsdmdTK+baavJBCWMKSQCgaBcorl+t1dE8hWBnWu7Hp+SY jBh+a8jTr6ZvaTVotePwmyjLeJiHoQ6YmgMS41QT05dxXhuVmFYAtCZ2oF6isxGk vgVdsHDfZ4Z72b5CODACyAG1twmFgqWu7VNwqhqNGfA/+vgNrk5iAa2b5iOAbXrh AyzVFFuQr+vbvHlAI/fBW/oeHvlDZuTUiNqRGQ4I0ELiFcjBJoTUo08qXww1GFU9 aIwO0w/rv/qmRFzDK5dasA/VSGza8pmdXj64HcDFNdpoJPrwL3JD/PT1l3sA4vcW GaNsmHn8ZQAMSn50WomPiqrwc+4F+fcXRz/VTUrQdrIplQ7NikB26oxB8Y3/8rws Pzjv6MDOF+LSMAoC6E7NjeAO6S55cXv6VCoRMPYEDVcVcwOKqxXCvA4p/3wBo/D6 okZI0DgrwbygBMlpSUyF6c3QDgazgzVvdPed3sZnBPMEvbFbaPEO52ijQpT/majX wZtENdhTD4vX7glwBoA67ZRRBVSjpTZu2jTELFLjJaOOMCPWrj+GEE65wWDYa+Sx es1bq7thEuR/sV1QJf3XDt8KQHLF836ixL9c6XblvqNBXSr98yf8ZFZM5nqgq/2O MrVWLIbaBJbfUSXBINTp
    =sYuW
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)
  • From Damien MURE@1:229/2 to All on Mon Apr 18 10:00:02 2016
    XPost: linux.debian.security
    From: [email protected]

    Mise � jour securit� sur ssh.

    A+



    Damien Mure
    Ing�nieur Syst�mes & R�seaux
    P�le Syst�me et r�seau - Service Architecture et production informatiques Agence technique de l'information sur l'hospitalisation (ATIH)
    117, bd Marius Vivier Merle 69329 Lyon cedex 03
    T�l: 04 37 91 33 18
    [email protected] - www.atih.sante.fr



    -----Message d'origine-----
    De�: Moritz Muehlenhoff [mailto:[email protected]]
    Envoy�: vendredi 15 avril 2016 19:09
    ��: [email protected]
    Objet�: [SECURITY] [DSA 3550-1] openssh security update
    Importance�: Haute

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3550-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff
    April 15, 2016 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : openssh
    CVE ID : CVE-2015-8325

    Shayan Sadigh discovered a vulnerability in OpenSSH: If PAM support is enabled and the sshd PAM configuration is configured to read user- specified environment variables and the "UseLogin" option is enabled, a local user may escalate her privileges to
    root.

    In Debian "UseLogin" is not enabled by default.

    For the oldstable distribution (wheezy), this problem has been fixed in version 6.0p1-4+deb7u4.

    For the stable distribution (jessie), this problem has been fixed in version 6.7p1-5+deb8u2.

    For the unstable distribution (sid), this problem has been fixed in version 1:7.2p2-3.

    We recommend that you upgrade your openssh packages.

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2

    iQIcBAEBCAAGBQJXER/aAAoJEBDCk7bDfE42NewQAI+mY4sv/x7S9hBMTqozVfKs 9G2H2qAfE23PIs3a/IPsdmdTK+baavJBCWMKSQCgaBcorl+t1dE8hWBnWu7Hp+SY jBh+a8jTr6ZvaTVotePwmyjLeJiHoQ6YmgMS41QT05dxXhuVmFYAtCZ2oF6isxGk vgVdsHDfZ4Z72b5CODACyAG1twmFgqWu7VNwqhqNGfA/+vgNrk5iAa2b5iOAbXrh AyzVFFuQr+vbvHlAI/fBW/oeHvlDZuTUiNqRGQ4I0ELiFcjBJoTUo08qXww1GFU9 aIwO0w/rv/qmRFzDK5dasA/VSGza8pmdXj64HcDFNdpoJPrwL3JD/PT1l3sA4vcW GaNsmHn8ZQAMSn50WomPiqrwc+4F+fcXRz/VTUrQdrIplQ7NikB26oxB8Y3/8rws Pzjv6MDOF+LSMAoC6E7NjeAO6S55cXv6VCoRMPYEDVcVcwOKqxXCvA4p/3wBo/D6 okZI0DgrwbygBMlpSUyF6c3QDgazgzVvdPed3sZnBPMEvbFbaPEO52ijQpT/majX wZtENdhTD4vX7glwBoA67ZRRBVSjpTZu2jTELFLjJaOOMCPWrj+GEE65wWDYa+Sx es1bq7thEuR/sV1QJf3XDt8KQHLF836ixL9c6XblvqNBXSr98yf8ZFZM5nqgq/2O MrVWLIbaBJbfUSXBINTp
    =sYuW
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)