Security update for openssh (important)

openssh was updated to fix several security issues and bugs.

These security issues were fixed:

• CVE-2015-5352: The x11_open_helper function in channels.c in ssh in
  OpenSSH when ForwardX11Trusted mode is not used, lacked a check of the
  refusal deadline for X connections, which made it easier for remote
  attackers to bypass intended access restrictions via a connection outside
  of the permitted time window (bsc#936695).
• CVE-2015-5600: The kbdint_next_device function in auth2-chall.c in sshd
  in OpenSSH did not properly restrict the processing of
  keyboard-interactive devices within a single connection, which made it
  easier for remote attackers to conduct brute-force attacks or cause a
  denial of service (CPU consumption) via a long and duplicative list in
  the ssh -oKbdInteractiveDevices option, as demonstrated by a modified
  client that provides a different password for each pam element on this
  list (bsc#938746).
• CVE-2015-4000: Removed and disabled weak DH groups to address LOGJAM
  (bsc#932483).
• Hardening patch to fix sftp RCE (bsc#903649).
• CVE-2015-6563: The monitor component in sshd in OpenSSH accepted
  extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which
  allowed local users to conduct impersonation attacks by leveraging any
  SSH login access in conjunction with control of the sshd uid to send a
  crafted MONITOR_REQ_PWNAM request, related to monitor.c and
  monitor_wrap.c.
• CVE-2015-6564: Use-after-free vulnerability in the
  mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH might
  have allowed local users to gain privileges by leveraging control of the
  sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request.

These non-security issues were fixed:

• bsc#914309: sshd inherits oom_adj -17 on SIGHUP causing DoS potential
  for oom_killer.
• bsc#673532: limits.conf fsize change in SLES10SP3 causing problems to
  WebSphere mqm user.
• bsc#916549: Fixed support for aesXXX-gcm@xxxxxxxxxxx.