Security update for openssh

Announcement ID: SUSE-SU-2015:1695-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2015-4000 ( NVD ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products:
  • SLES for SAP Applications 11-SP4
  • SUSE Linux Enterprise Desktop 11 SP4
  • SUSE Linux Enterprise Server 11 SP4

An update that solves five vulnerabilities and has five security fixes can now be installed.

Description:

OpenSSH was updated to fix several security issues and bugs.

Please note that due to a bug in the previous shipped openssh version, sshd might not correctly restart. Please verify that the ssh daemon is running after installing this update.

These security issues were fixed:

  • CVE-2015-5352: The x11_open_helper function, when ForwardX11Trusted mode is not used, lacked a check of the refusal deadline for X connections, which made it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time window. (bsc#936695)

  • CVE-2015-5600: The kbdint_next_device function in auth2-chall.c in sshd did not properly restrict the processing of keyboard-interactive devices within a single connection, which made it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list. (bsc#938746)

  • CVE-2015-4000: Removed and disabled weak DH groups to address LOGJAM. (bsc#932483)

  • Hardening patch to fix sftp RCE. (bsc#903649)

  • CVE-2015-6563: The monitor component in sshd accepted extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allowed local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c.

  • CVE-2015-6564: Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd might have allowed local users to gain privileges by leveraging control of the sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request.

Additional a bug was fixed that could lead to openssh not working in chroot (bsc#947458).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Desktop 11 SP4
    zypper in -t patch sledsp4-openssh-12119=1
  • SUSE Linux Enterprise Server 11 SP4
    zypper in -t patch slessp4-openssh-12119=1
  • SLES for SAP Applications 11-SP4
    zypper in -t patch slessp4-openssh-12119=1

Package List:

  • SUSE Linux Enterprise Desktop 11 SP4 (x86_64 i586)
    • openssh-helpers-6.6p1-13.1
    • openssh-6.6p1-13.1
    • openssh-askpass-gnome-6.6p1-13.3
  • SUSE Linux Enterprise Server 11 SP4 (s390x x86_64 i586 ppc64 ia64)
    • openssh-helpers-6.6p1-13.1
    • openssh-6.6p1-13.1
    • openssh-askpass-gnome-6.6p1-13.3
    • openssh-fips-6.6p1-13.1
  • SLES for SAP Applications 11-SP4 (ppc64 x86_64)
    • openssh-helpers-6.6p1-13.1
    • openssh-6.6p1-13.1
    • openssh-askpass-gnome-6.6p1-13.3
    • openssh-fips-6.6p1-13.1

References: