[SECURITY] [DLA 288-1] openssh security update

ID DEBIAN:DLA-288-1:36C61
Type debian
Reporter Debian
Modified 2015-08-07T11:38:57


Package : openssh Version : 1:5.5p1-6+squeeze6 CVE ID : CVE-2015-5352 CVE-2015-5600 Debian Bug : #790798 #793616

A recent upload of OpenSSH to Debian squeeze-lts fixes two security issues.


It was reported that when forwarding X11 connections with
ForwardX11Trusted=no, connections made after ForwardX11Timeout
(hard-coded value of 1200secs in the Debian squeeze version of
OpenSSH) expired could be permitted and no longer subject to XSECURITY
restrictions because of an ineffective timeout check in ssh(1)
coupled with "fail open" behaviour in the X11 server when clients
attempted connections with expired credentials. This problem was
reported by Jann Horn.

We now reject X11 connections after the hard-coded Xauth cookie
expiration time of 1200 seconds.


It was found that OpenSSH would allow an attacker to request a large
number of keyboard-interactive devices when entering a password,
which could allow a remote attacker to bypass the MaxAuthTries limit
defined in the sshd_config file.

This flaw only affects OpenSSH configurations that have the
'KbdInteractiveAuthentication' configuration option set to 'yes'. By
default, this option has the same value as the
'ChallengeResponseAuthentication' option.

By default, all versions of Debian have the
'ChallengeResponseAuthentication' option set to 'no', meaning default
OpenSSH configurations are not affected by this flaw.

We now only query each keyboard-interactive device once per
authentication request regardless of how many times it is listed.


mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunweaver@debian.org, http://sunweavers.net