Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

openssh-client: CVE-2016-0777

Related Vulnerabilities: CVE-2016-0777   CVE-2016-0778  

Source

Debian Bug report logs - #810984
openssh-client: CVE-2016-0777

version graph

Package: openssh-client; Maintainer for openssh-client is Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>; Source for openssh-client is src:openssh (PTS, buildd, popcon).

Reported by: Christoph Anton Mitterer <calestyo@scientia.net>

Date: Thu, 14 Jan 2016 14:51:01 UTC

Severity: critical

Tags: fixed-upstream, security, upstream

Found in versions openssh/1:5.5p1-6, openssh/1:7.1p1-6

Fixed in versions openssh/1:7.1p2-1, 1:6.0p1-4+deb7u3, 1:6.7p1-5+deb8u1, openssh/1:5.5p1-6+squeeze8

Done: Colin Watson <cjwatson@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#810984; Package openssh-client. (Thu, 14 Jan 2016 14:51:05 GMT) (full text, mbox, link).

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Thu, 14 Jan 2016 14:51:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: openssh-client: CVE-2016-0777
Date: Thu, 14 Jan 2016 15:49:40 +0100
Package: openssh-client
Version: 1:7.1p1-6
Severity: critical
Tags: security
Justification: root security hole



Hey.

You probably know about this already, but just in case not:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034679.html

Cheers,
Chris.


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.3.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-client depends on:
ii  adduser           3.113+nmu3
ii  dpkg              1.18.4
ii  libc6             2.21-6
ii  libedit2          3.1-20150325-1+b1
ii  libgssapi-krb5-2  1.13.2+dfsg-4
ii  libselinux1       2.4-3
ii  libssl1.0.2       1.0.2e-1
ii  passwd            1:4.2-3.1
ii  zlib1g            1:1.2.8.dfsg-2+b1

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.9-1

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- Configuration Files:
/etc/ssh/ssh_config changed [not included]

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#810984; Package openssh-client. (Thu, 14 Jan 2016 15:03:12 GMT) (full text, mbox, link).

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Thu, 14 Jan 2016 15:03:12 GMT) (full text, mbox, link).

Message #10 received at 810984@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>
To: Christoph Anton Mitterer <calestyo@scientia.net>, 810984@bugs.debian.org
Subject: Re: Bug#810984: openssh-client: CVE-2016-0777
Date: Thu, 14 Jan 2016 16:01:07 +0100
[Message part 1 (text/plain, inline)]
On jeu., 2016-01-14 at 15:49 +0100, Christoph Anton Mitterer wrote:
> Hey.
> 
> You probably know about this already, but just in case not:
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034679.htm
> l
Thanks for the report, yes we're aware of it.

Regards,
-- 
Yves-Alexis


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#810984; Package openssh-client. (Thu, 14 Jan 2016 15:06:06 GMT) (full text, mbox, link).

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Thu, 14 Jan 2016 15:06:06 GMT) (full text, mbox, link).

Message #15 received at 810984@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Christoph Anton Mitterer" <calestyo@scientia.net>, 810984@bugs.debian.org
Subject: Re: Bug#810984: openssh-client: CVE-2016-0777
Date: Thu, 14 Jan 2016 16:02:53 +0100
On Thu, January 14, 2016 15:49, Christoph Anton Mitterer wrote:
> You probably know about this already, but just in case not:
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034679.html

Thanks for reporting.
The security team is indeed aware and a DSA is in preparation.

Cheers,
Thijs

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#810984; Package openssh-client. (Thu, 14 Jan 2016 15:06:09 GMT) (full text, mbox, link).

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Thu, 14 Jan 2016 15:06:09 GMT) (full text, mbox, link).

Message #20 received at 810984@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>
To: Christoph Anton Mitterer <calestyo@scientia.net>, 810984@bugs.debian.org
Subject: Re: Bug#810984: openssh-client: CVE-2016-0777
Date: Thu, 14 Jan 2016 15:03:38 +0000
On Thu, Jan 14, 2016 at 03:49:40PM +0100, Christoph Anton Mitterer wrote:
> You probably know about this already, but just in case not:
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034679.html

Yes, I do.  Upload coming soon.

-- 
Colin Watson                                       [cjwatson@debian.org]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#810984; Package openssh-client. (Thu, 14 Jan 2016 15:09:08 GMT) (full text, mbox, link).

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Thu, 14 Jan 2016 15:09:08 GMT) (full text, mbox, link).

Message #25 received at 810984@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Yves-Alexis Perez <corsac@debian.org>, 810984@bugs.debian.org
Subject: Re: Bug#810984: openssh-client: CVE-2016-0777
Date: Thu, 14 Jan 2016 16:05:02 +0100
[Message part 1 (text/plain, inline)]
On Thu, 2016-01-14 at 16:01 +0100, Yves-Alexis Perez wrote:
> Thanks for the report, yes we're aware of it.
The announcement doesn't read *that* extremely bad (well depends a bit
on whether one connects to untrusted systems), though,... thus maybe
the severity of this can be lowered.
OTOH, since it may allow an attacker to gain the local key (including
root's) one may still consider the severity to be appropriate).

Cheers,
Chris.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#810984; Package openssh-client. (Thu, 14 Jan 2016 15:09:11 GMT) (full text, mbox, link).

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Thu, 14 Jan 2016 15:09:11 GMT) (full text, mbox, link).

Message #30 received at 810984@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Colin Watson <cjwatson@debian.org>, 810984@bugs.debian.org
Subject: Re: Bug#810984: openssh-client: CVE-2016-0777
Date: Thu, 14 Jan 2016 16:06:36 +0100
[Message part 1 (text/plain, inline)]
On Thu, 2016-01-14 at 15:03 +0000, Colin Watson wrote:
> Yes, I do.  Upload coming soon.
Great work :-) As usually the security team and maintainers are pretty
fast in Debian... if now there wouldn't be easy ways for blocking
attacks against secure APT, one could really feel pretty safe :)


Cheers,
Chris.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Marked as found in versions openssh/1:5.5p1-6. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 14 Jan 2016 15:30:09 GMT) (full text, mbox, link).

Marked as fixed in versions 1:6.0p1-4+deb7u3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 14 Jan 2016 15:30:12 GMT) (full text, mbox, link).

Marked as fixed in versions 1:6.7p1-5+deb8u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 14 Jan 2016 15:30:13 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 14 Jan 2016 15:30:19 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 14 Jan 2016 15:48:17 GMT) (full text, mbox, link).

Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. (Thu, 14 Jan 2016 16:09:09 GMT) (full text, mbox, link).

Notification sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Bug acknowledged by developer. (Thu, 14 Jan 2016 16:09:09 GMT) (full text, mbox, link).

Message #45 received at 810984-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>
To: 810984-close@bugs.debian.org
Subject: Bug#810984: fixed in openssh 1:7.1p2-1
Date: Thu, 14 Jan 2016 16:05:37 +0000
Source: openssh
Source-Version: 1:7.1p2-1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 810984@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 14 Jan 2016 15:28:03 +0000
Source: openssh
Binary: openssh-client openssh-client-ssh4 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.1p2-1
Distribution: unstable
Urgency: high
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-ssh4 - secure shell (SSH) client for legacy SSH1 protocol
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 810984
Changes:
 openssh (1:7.1p2-1) unstable; urgency=high
 .
   * New upstream release (http://www.openssh.com/txt/release-7.1p2):
     - CVE-2016-0777, CVE-2016-0778: Disable experimental client-side support
       for roaming, which could be tricked by a malicious server into leaking
       client memory to the server, including private client user keys; this
       information leak is restricted to connections to malicious or
       compromised servers (closes: #810984).
     - SECURITY: Fix an out of-bound read access in the packet handling code.
       Reported by Ben Hawkes.
     - Further use of explicit_bzero has been added in various buffer
       handling code paths to guard against compilers aggressively doing
       dead-store removal.
Checksums-Sha1:
 89b110673f494251c90972f07ee8d2d79d35e91a 2835 openssh_7.1p2-1.dsc
 9202f5a2a50c8a55ecfb830609df1e1fde97f758 1475829 openssh_7.1p2.orig.tar.gz
 f7a906cafdb5c148086c7a245f5a267996552a5d 148576 openssh_7.1p2-1.debian.tar.xz
Checksums-Sha256:
 a1f6b01e2229f167f35e5f5378181f3d931196919efa1a8c379709686c79a639 2835 openssh_7.1p2-1.dsc
 dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd 1475829 openssh_7.1p2.orig.tar.gz
 349d952bd32dbce1191deb3cd79b37d5380610766a3b047eb2f295f228ce8b50 148576 openssh_7.1p2-1.debian.tar.xz
Files:
 dd0ef27249e07ef1e16066ea7762622f 2835 net standard openssh_7.1p2-1.dsc
 4d8547670e2a220d5ef805ad9e47acf2 1475829 net standard openssh_7.1p2.orig.tar.gz
 413eee29fec1fa26546265c5e2eef4cf 148576 net standard openssh_7.1p2-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBVpe+izk1h9l9hlALAQgy0g/+PVFmowkheu+LuvXdus9NmQK4l5nxFOXz
Qkxcc41/speKhMYZK2sUYvRx7H/PlPW+Sorpqs+l9p5V9pVrgN3PWnf4iMZkSK6J
bt0OWM2KjUXkL9u3hpotoX8ZfvuZqjVxrqrnPNUV46lvD1qryLPtlWXGMAySwdA3
txpyUTpNTV7fFnsqzEqd1xEd5nC/Aa/QBfqTZAToNWpTipec+UEWJX8gimDoDInw
IdDcWvE/Bxvrath4TYsN5mKUIIfpPMtx0mD0CI/wB+r6NgtMVU9G6iYaWxrHlZ10
AHo9sSwa9AO9BDe1mL8+7sYPsXqackno8vZeYVmzB2b4SdPKGFJlfgLpfRSolHtM
83lj0mLK1DxL2GJRVs1GL0EzgBWU9oc32KxnfbeqyNYVglDP6I/Wdxz8kX+a/xcT
ewLQK8wVblANVuYIXIbeqcWETZh4mhtij0hDSEr9NfT74uZ6loZ+gEqN/BfSN8yT
9I+UUXKUABQYdFWOdeZbvBTs9EBNQbuAu8CXW8HUM9dgJI3pW6/QS3YqEl+WE5fm
fj86xANwgHTJChcS4TVmnMmhnQhhdzDnxyJ77QoeiPYReGFX1ApjrBrYpTk85L2/
3asonayCpL0vtjf/7dsRKkRDsMpgz3POnCYk9qy0V29EhlxMK6QFK4il9+/9SugD
XTnsEUgwdhI=
=Bku6
-----END PGP SIGNATURE-----

Marked as fixed in versions openssh/1:5.5p1-6+squeeze8. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 15 Jan 2016 06:27:10 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 14 Feb 2016 07:36:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:52:49 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started