Package : openssh Version : 1:5.5p1-6+squeeze6 CVE ID : CVE-2015-5352 CVE-2015-5600 Debian Bug : #790798 #793616
A recent upload of OpenSSH to Debian squeeze-lts fixes two security issues.
It was reported that when forwarding X11 connections with ForwardX11Trusted=no, connections made after ForwardX11Timeout (hard-coded value of 1200secs in the Debian squeeze version of OpenSSH) expired could be permitted and no longer subject to XSECURITY restrictions because of an ineffective timeout check in ssh(1) coupled with "fail open" behaviour in the X11 server when clients attempted connections with expired credentials. This problem was reported by Jann Horn. We now reject X11 connections after the hard-coded Xauth cookie expiration time of 1200 seconds.
It was found that OpenSSH would allow an attacker to request a large number of keyboard-interactive devices when entering a password, which could allow a remote attacker to bypass the MaxAuthTries limit defined in the sshd_config file. This flaw only affects OpenSSH configurations that have the 'KbdInteractiveAuthentication' configuration option set to 'yes'. By default, this option has the same value as the 'ChallengeResponseAuthentication' option. By default, all versions of Debian have the 'ChallengeResponseAuthentication' option set to 'no', meaning default OpenSSH configurations are not affected by this flaw. We now only query each keyboard-interactive device once per authentication request regardless of how many times it is listed.
mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: email@example.com, http://sunweavers.net