Security update for openssh

Announcement ID:	SUSE-SU-2016:2280-1
Rating:	moderate
References:	bsc#948902 bsc#981654 bsc#989363 bsc#992533
Cross-References:	CVE-2016-6210 CVE-2016-6515
CVSS scores:	CVE-2016-6210 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2016-6515 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 LTSS 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1

An update that solves two vulnerabilities and has two security fixes can now be installed.

Description:

This update for openssh fixes the following issues:

• Prevent user enumeration through the timing of password processing (bsc#989363, CVE-2016-6210) [-prevent_timing_user_enumeration]
• Allow lowering the DH groups parameter limit in server as well as when GSSAPI key exchange is used (bsc#948902)
• limit accepted password length (prevents possible DoS) (bsc#992533, CVE-2016-6515)

Bug fixes: - avoid complaining about unset DISPLAY variable (bsc#981654)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12 SP1
  zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1332=1
• SUSE Linux Enterprise Server for SAP Applications 12
  zypper in -t patch SUSE-SLE-SAP-12-2016-1332=1
• SUSE Linux Enterprise Server 12 LTSS 12
  zypper in -t patch SUSE-SLE-SERVER-12-2016-1332=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1
  zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1332=1
• SUSE Linux Enterprise Server 12 SP1
  zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1332=1

Package List:

• SUSE Linux Enterprise Desktop 12 SP1 (x86_64)
  • openssh-debuginfo-6.6p1-52.1
  • openssh-debugsource-6.6p1-52.1
  • openssh-6.6p1-52.1
  • openssh-helpers-debuginfo-6.6p1-52.1
  • openssh-helpers-6.6p1-52.1
  • openssh-askpass-gnome-6.6p1-52.1
  • openssh-askpass-gnome-debuginfo-6.6p1-52.1
• SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
  • openssh-debuginfo-6.6p1-52.1
  • openssh-debugsource-6.6p1-52.1
  • openssh-fips-6.6p1-52.1
  • openssh-6.6p1-52.1
  • openssh-helpers-debuginfo-6.6p1-52.1
  • openssh-helpers-6.6p1-52.1
  • openssh-askpass-gnome-6.6p1-52.1
  • openssh-askpass-gnome-debuginfo-6.6p1-52.1
• SUSE Linux Enterprise Server 12 LTSS 12 (ppc64le s390x x86_64)
  • openssh-debuginfo-6.6p1-52.1
  • openssh-debugsource-6.6p1-52.1
  • openssh-fips-6.6p1-52.1
  • openssh-6.6p1-52.1
  • openssh-helpers-debuginfo-6.6p1-52.1
  • openssh-helpers-6.6p1-52.1
  • openssh-askpass-gnome-6.6p1-52.1
  • openssh-askpass-gnome-debuginfo-6.6p1-52.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1 (ppc64le x86_64)
  • openssh-debuginfo-6.6p1-52.1
  • openssh-debugsource-6.6p1-52.1
  • openssh-fips-6.6p1-52.1
  • openssh-6.6p1-52.1
  • openssh-helpers-debuginfo-6.6p1-52.1
  • openssh-helpers-6.6p1-52.1
  • openssh-askpass-gnome-6.6p1-52.1
  • openssh-askpass-gnome-debuginfo-6.6p1-52.1
• SUSE Linux Enterprise Server 12 SP1 (ppc64le s390x x86_64)
  • openssh-debuginfo-6.6p1-52.1
  • openssh-debugsource-6.6p1-52.1
  • openssh-fips-6.6p1-52.1
  • openssh-6.6p1-52.1
  • openssh-helpers-debuginfo-6.6p1-52.1
  • openssh-helpers-6.6p1-52.1
  • openssh-askpass-gnome-6.6p1-52.1
  • openssh-askpass-gnome-debuginfo-6.6p1-52.1

References:

• https://www.suse.com/security/cve/CVE-2016-6210.html
• https://www.suse.com/security/cve/CVE-2016-6515.html
• https://bugzilla.suse.com/show_bug.cgi?id=948902
• https://bugzilla.suse.com/show_bug.cgi?id=981654
• https://bugzilla.suse.com/show_bug.cgi?id=989363
• https://bugzilla.suse.com/show_bug.cgi?id=992533