If server offers certificate, doesn't fall back to checking SSHFP records (CVE-2014-2653)

Debian Bug report logs - #742513
If server offers certificate, doesn't fall back to checking SSHFP records (CVE-2014-2653)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Matthew Vernon <mcv21@cam.ac.uk>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: If server offers certificate, doesn't fall back to checking SSHFP records

Date: Mon, 24 Mar 2014 16:35:27 +0000

Package: openssh-client
Version: 1:6.0p1-4
Severity: important
Tags: security upstream

Hi,

I've been looking at handling host keys better, and tripped over this
bug. Essentially, if the server offers a HostCertificate that the
client doesn't accept, then the client doesn't then check for SSHFP
records.

Setup to reproduce:

Server has a HostCertificate, and appropriate SSHFP entries in the DNS. 

Client does /not/ have a @cert-authority entry in known_hosts

What should happen:

Server offers the certificate, client rejects it and then validates
the SSHFP entry, and goes on to connect.

What does happen:

Server offers the certificate, client rejects it and then falls back
to prompting the user.

You can work around this by doing -o 'HostKeyAlgorithms=ssh-rsa', but
that disables certificate checking entirely, so isn't actually a fix.

I think this is a security issue, as host key checking is IMO
important security-wise, but I think "important" is the correct
severity.

Regards,

Matthew

-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-client depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49
ii  dpkg                   1.16.12
ii  libc6                  2.13-38+deb7u1
ii  libedit2               2.11-20080614-5
ii  libgssapi-krb5-2       1.10.1+dfsg-5+deb7u1
ii  libselinux1            2.1.9-5
ii  libssl1.0.0            1.0.1e-2+deb7u4
ii  passwd                 1:4.1.5.1-1
ii  zlib1g                 1:1.2.7.dfsg-13

Versions of packages openssh-client recommends:
ii  openssh-blacklist        0.4.1+nmu1
ii  openssh-blacklist-extra  0.4.1+nmu1
ii  xauth                    1:1.0.7-1

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- Configuration Files:
/etc/ssh/ssh_config changed:
Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no


-- no debconf information

Message #10 received at 742513@bugs.debian.org (full text, mbox, reply):

From: Matthew Vernon <mcv21@cam.ac.uk>

To: 742513@bugs.debian.org

Subject: Oops

Date: Mon, 24 Mar 2014 17:11:22 +0000

Hi,

This bug is worse than I initially thought - if you're using
SSHFP/DNSSEC, and I am evil, then my pretend-server offers the client a
certificate, at which point ssh will not check the DNS at all, and
simply offer the user the usual "unable to verify" dialogue. Since most
users have been trained to hit "yes" blindly at that dialogue, I think
this is a more important security problem than I first thought.

Regards,

Matthew

Message #15 received at 742513@bugs.debian.org (full text, mbox, reply):

From: Mark Wooding <mdw@distorted.org.uk>

To: 742513@bugs.debian.org

Subject: Untested patch

Date: Mon, 24 Mar 2014 18:09:24 +0000

I've just thrown together a patch.  It compiles but is otherwise
entirely untested!  I'm interested in comments like `No, that's the
wrong fix: you should do mumble instead.'

diff --git a/sshconnect.c b/sshconnect.c
index 87c3770..dfe44e4 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1218,36 +1218,62 @@ fail:
 	return -1;
 }
 
+static int
+check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key)
+{
+	int rc = -1;
+	int flags = 0;
+	Key *raw_key = NULL;
+
+	if (!options.verify_host_key_dns)
+		goto done;
+
+	/* XXX certs are not yet supported for DNS; try looking the raw key
+	 * up in the DNS anyway.
+	 */
+	if (key_is_cert(host_key)) {
+		raw_key = key_from_private(host_key);
+		if (key_drop_cert(raw_key))
+			fatal("Couldn't drop certificate");
+		host_key = raw_key;
+	}
+
+	if (verify_host_key_dns(host, hostaddr, host_key, &flags))
+		goto done;
+
+	if (flags & DNS_VERIFY_FOUND) {
+
+		if (options.verify_host_key_dns == 1 &&
+		    flags & DNS_VERIFY_MATCH &&
+		    flags & DNS_VERIFY_SECURE) {
+			rc = 0;
+		} else if (flags & DNS_VERIFY_MATCH) {
+			matching_host_key_dns = 1;
+		} else {
+			warn_changed_key(host_key);
+			error("Update the SSHFP RR in DNS with the new "
+			      "host key to get rid of this message.");
+		}
+	}
+
+done:
+	if (raw_key)
+		key_free(raw_key);
+	return rc;
+}
+
 /* returns 0 if key verifies or -1 if key does NOT verify */
 int
 verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
 {
-	int flags = 0;
 	char *fp;
 
 	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
 	debug("Server host key: %s %s", key_type(host_key), fp);
 	free(fp);
 
-	/* XXX certs are not yet supported for DNS */
-	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
-	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
-		if (flags & DNS_VERIFY_FOUND) {
-
-			if (options.verify_host_key_dns == 1 &&
-			    flags & DNS_VERIFY_MATCH &&
-			    flags & DNS_VERIFY_SECURE)
-				return 0;
-
-			if (flags & DNS_VERIFY_MATCH) {
-				matching_host_key_dns = 1;
-			} else {
-				warn_changed_key(host_key);
-				error("Update the SSHFP RR in DNS with the new "
-				    "host key to get rid of this message.");
-			}
-		}
-	}
+	if (check_host_key_sshfp(host, hostaddr, host_key) == 0)
+		return 0;
 
 	return check_host_key(host, hostaddr, options.port, host_key, RDRW,
 	    options.user_hostfiles, options.num_user_hostfiles,

-- [mdw]

Message #20 received at 742513@bugs.debian.org (full text, mbox, reply):

From: matthew@debian.org

To: 742513@bugs.debian.org

Cc: Matthew Vernon <mcv21@cam.ac.uk>, Matthew Vernon <matthew@debian.org>

Subject: [PATCH] Attempt SSHFP lookup even if server presents a certificate

Date: Tue, 25 Mar 2014 11:26:53 +0000

From: Matthew Vernon <mcv21@cam.ac.uk>

If an ssh server presents a certificate to the client, then the client
does not check the DNS for SSHFP records. This means that a malicious
server can essentially disable DNS-host-key-checking, which means the
client will fall back to asking the user (who will just say "yes" to
the fingerprint, sadly).

This patch means that the ssh client will, if necessary, extract the
server key from the proffered certificate, and attempt to verify it
against the DNS. The patch was written by Mark Wooding
<mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed
it, and tested it.

Signed-off-by: Matthew Vernon <matthew@debian.org>
Bug-Debian: http://bugs.debian.org/742513
---
 sshconnect.c |   67 ++++++++++++++++++++++++++++++++++++++++------------------
 1 file changed, 47 insertions(+), 20 deletions(-)

diff --git a/sshconnect.c b/sshconnect.c
index 87c3770..b8510d2 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1218,36 +1218,63 @@ fail:
 	return -1;
 }
 
+static int
+check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key)
+{
+	int rc = -1;
+	int flags = 0;
+	Key *raw_key = NULL;
+
+	if (!options.verify_host_key_dns)
+		goto done;
+
+	/* XXX certs are not yet supported for DNS; try looking the raw key
+	 * up in the DNS anyway.
+	 */
+	if (key_is_cert(host_key)) {
+	  debug2("Extracting key from cert for SSHFP lookup");
+		raw_key = key_from_private(host_key);
+		if (key_drop_cert(raw_key))
+			fatal("Couldn't drop certificate");
+		host_key = raw_key;
+	}
+
+	if (verify_host_key_dns(host, hostaddr, host_key, &flags))
+		goto done;
+
+	if (flags & DNS_VERIFY_FOUND) {
+
+		if (options.verify_host_key_dns == 1 &&
+		    flags & DNS_VERIFY_MATCH &&
+		    flags & DNS_VERIFY_SECURE) {
+			rc = 0;
+		} else if (flags & DNS_VERIFY_MATCH) {
+			matching_host_key_dns = 1;
+		} else {
+			warn_changed_key(host_key);
+			error("Update the SSHFP RR in DNS with the new "
+			      "host key to get rid of this message.");
+		}
+	}
+
+done:
+	if (raw_key)
+		key_free(raw_key);
+	return rc;
+}
+
 /* returns 0 if key verifies or -1 if key does NOT verify */
 int
 verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
 {
-	int flags = 0;
 	char *fp;
 
 	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
 	debug("Server host key: %s %s", key_type(host_key), fp);
 	free(fp);
 
-	/* XXX certs are not yet supported for DNS */
-	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
-	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
-		if (flags & DNS_VERIFY_FOUND) {
-
-			if (options.verify_host_key_dns == 1 &&
-			    flags & DNS_VERIFY_MATCH &&
-			    flags & DNS_VERIFY_SECURE)
-				return 0;
-
-			if (flags & DNS_VERIFY_MATCH) {
-				matching_host_key_dns = 1;
-			} else {
-				warn_changed_key(host_key);
-				error("Update the SSHFP RR in DNS with the new "
-				    "host key to get rid of this message.");
-			}
-		}
-	}
+	if (check_host_key_sshfp(host, hostaddr, host_key) == 0)
+		return 0;
 
 	return check_host_key(host, hostaddr, options.port, host_key, RDRW,
 	    options.user_hostfiles, options.num_user_hostfiles,
-- 
1.7.10.4

Message #27 received at 742513-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 742513-close@bugs.debian.org

Subject: Bug#742513: fixed in openssh 1:6.6p1-1

Date: Fri, 28 Mar 2014 21:19:12 +0000

Source: openssh
Source-Version: 1:6.6p1-1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 742513@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 28 Mar 2014 18:04:41 +0000
Source: openssh
Binary: openssh-client openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source i386 all
Version: 1:6.6p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 298138 341883 742308 742513 742541
Changes: 
 openssh (1:6.6p1-1) unstable; urgency=medium
 .
   [ Colin Watson ]
   * Apply various warning-suppression and regression-test fixes to
     gssapi.patch from Damien Miller.
   * New upstream release (http://www.openssh.com/txt/release-6.6,
     LP: #1298280):
     - CVE-2014-2532: sshd(8): when using environment passing with an
       sshd_config(5) AcceptEnv pattern with a wildcard, OpenSSH prior to 6.6
       could be tricked into accepting any environment variable that contains
       the characters before the wildcard character.
   * Re-enable btmp logging, as its permissions were fixed a long time ago in
     response to #370050 (closes: #341883).
   * Change to "PermitRootLogin without-password" for new installations, and
     ask a debconf question when upgrading systems with "PermitRootLogin yes"
     from previous versions (closes: #298138).
   * Debconf translations:
     - Danish (thanks, Joe Hansen).
     - Portuguese (thanks, Américo Monteiro).
     - Russian (thanks, Yuri Kozlov; closes: #742308).
     - Swedish (thanks, Andreas Rönnquist).
     - Japanese (thanks, victory).
     - German (thanks, Stephan Beck; closes: #742541).
     - Italian (thanks, Beatrice Torracca).
   * Don't start ssh-agent from the Upstart user session job if something
     like Xsession has already done so (based on work by Bruno Vasselle;
     LP: #1244736).
 .
   [ Matthew Vernon ]
   * CVE-2014-2653: Fix failure to check SSHFP records if server presents a
     certificate (bug reported by me, patch by upstream's Damien Miller;
     thanks also to Mark Wooding for his help in fixing this) (Closes:
     #742513)
Checksums-Sha1: 
 de927b42fcf22bcbcc806d700b03768c8ad3b440 2637 openssh_6.6p1-1.dsc
 b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e 1282502 openssh_6.6p1.orig.tar.gz
 d3898f85b9799e7eba3936ae2ac277f62878fd2d 141060 openssh_6.6p1-1.debian.tar.xz
 ded9dfe4deaaa097c30bb342c79dbaec3e1af4a8 667082 openssh-client_6.6p1-1_i386.deb
 fbf8430b0ed184f3b4c626cd7b06963b34475579 320628 openssh-server_6.6p1-1_i386.deb
 139d22adeb131eea0845880981e08e31e2bb4a76 35346 openssh-sftp-server_6.6p1-1_i386.deb
 bceec92916bc7bb00f1ce959454935ce40d3d038 1116 ssh_6.6p1-1_all.deb
 bfc13d9c525c28c209a8424f80264b99fe71772c 104838 ssh-krb5_6.6p1-1_all.deb
 d259f0c7e0db419ead89e671b3da8c513bc867e8 112624 ssh-askpass-gnome_6.6p1-1_i386.deb
 d65475dac1fdda7eccd2cb07e8993d185d055e75 252820 openssh-client-udeb_6.6p1-1_i386.udeb
 255d8241c9298786b20df286e0cb35ded0890348 281614 openssh-server-udeb_6.6p1-1_i386.udeb
Checksums-Sha256: 
 169b2034b12346730f46931d4a41660ba5d098ad2260fc02b77c59bcef8f21f6 2637 openssh_6.6p1-1.dsc
 48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb 1282502 openssh_6.6p1.orig.tar.gz
 d288f17c9f49b9b0797654d0c3c73dce91e6c85a106bb5270d3e3b8314dd06f5 141060 openssh_6.6p1-1.debian.tar.xz
 c4c6ad9b85473260c38f3494e439c6c1ecaea4dff80156149537cdc88ae7fc89 667082 openssh-client_6.6p1-1_i386.deb
 483fe64dcd78670d8831b711b56a7f8f7155e5ccfd2aadd352ec999dd00acb61 320628 openssh-server_6.6p1-1_i386.deb
 ad188919c748d90aa93af2799e6073b80c7aa8bb400552e16af89243dbb24555 35346 openssh-sftp-server_6.6p1-1_i386.deb
 3e930f5bda22cc3f88bb5512af6ca2010e945507c020a3269cfcb965f87c7848 1116 ssh_6.6p1-1_all.deb
 9b7da9036191c4546e5877e17aa5e95435a6542688b98a3e67400f1c2b9d6137 104838 ssh-krb5_6.6p1-1_all.deb
 a6ff8787f8c94965b76a4e08d7856e7d2bd6336ea92daf056d17b8ff256c799b 112624 ssh-askpass-gnome_6.6p1-1_i386.deb
 43c84b544c56510c5a23ef3900284b6a64cef3fdf7452f81ffdfc6a242f0cb30 252820 openssh-client-udeb_6.6p1-1_i386.udeb
 26f4ffc10bd4d589d08fe5df863b69b78f22dcb4ad4a33e14e0807a1e3a57259 281614 openssh-server-udeb_6.6p1-1_i386.udeb
Files: 
 9edf5c71b6b08bc91003fc0cb99a4717 2637 net standard openssh_6.6p1-1.dsc
 3e9800e6bca1fbac0eea4d41baa7f239 1282502 net standard openssh_6.6p1.orig.tar.gz
 d1752ee88d1ac2ea0578d130383927ac 141060 net standard openssh_6.6p1-1.debian.tar.xz
 b27f2f7244836ad087d20fbf628c033c 667082 net standard openssh-client_6.6p1-1_i386.deb
 e6935335fb140c8eff16c2d979e38b55 320628 net optional openssh-server_6.6p1-1_i386.deb
 062ac706ed28e2e29d3e50fc293d019e 35346 net optional openssh-sftp-server_6.6p1-1_i386.deb
 19fbe25a4f92f9a2b6947e8d4f12ce7e 1116 net extra ssh_6.6p1-1_all.deb
 5adc30ce36edeaff1d0336619b84c1a3 104838 oldlibs extra ssh-krb5_6.6p1-1_all.deb
 0b0e13dbca528b2f14f559d76362c0cc 112624 gnome optional ssh-askpass-gnome_6.6p1-1_i386.deb
 4fe65814c4a59d5b80e3d3414d1aaf35 252820 debian-installer optional openssh-client-udeb_6.6p1-1_i386.udeb
 87b3ef5612879df187eff4149a19ea6a 281614 debian-installer optional openssh-server-udeb_6.6p1-1_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBUzXccTk1h9l9hlALAQj9dg/8Cc2GiibyRv1vsaiGnb+lKyc0h4+Yh69n
vVzYN684ZGWo3deJa2HOhaFOefkFgV/pim/1/rJ3bWzhThfg/BACoEoBq7+bFIPo
78CU+W2fT1sUNZYgMZksH7OXoQ83Kv2YAAbVW4Nto4t94yMWiVxKPeJWLIBM1aD2
FdtTUR+KGVPxl3oc/kZOLRt4GRuPlkFsuPVrSNGVnrrlbme99bNqIrxRvwVWBAK0
IMtwFaDlUd05jaBsqWY2BxApEnM1ziy0+D504MoPgvTCGRU+/AzppBn+OZUqbqaO
r4uWUAYKEDTi5AWeItjfDZbVx5pRt6hnRTvz/LDKj8zhLujYPEEZSIPMdLbQgGZc
EyIhzd5SAaksQ17MetNE/PT0M0sCy35aCx3CmkPqVItv3DUkJX7J/XUhW/4heDdk
x+554Bvs6LNvGkZVUZPDw24AWx62FNBF7UieyuQc7X6ygqNkK0XKWIGSukOjbxec
cbPTVAnTt4eUQSxTcdKoZro8S+zHuPiLB/OVC4hCNzPnHuZ+iVu/ab2oaJo1B1eD
YdjKtcj+vQBksULaYR8bXDwaiMT7RRrwbdxv9ZQzxmD8bl0lYXe+PlUzNhZhk5FQ
lehIcXgb4zBR0iV+rqMrJq12o/eMG10I6OGnCTIumSDCXDBxW2K2DEUoEmldVOAv
azHVlvakGic=
=mz8Q
-----END PGP SIGNATURE-----

Message #34 received at 742513-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 742513-close@bugs.debian.org

Subject: Bug#742513: fixed in openssh 1:6.0p1-4+deb7u1

Date: Sat, 05 Apr 2014 18:02:07 +0000

Source: openssh
Source-Version: 1:6.0p1-4+deb7u1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 742513@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 03 Apr 2014 00:05:17 +0100
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source i386 all
Version: 1:6.0p1-4+deb7u1
Distribution: stable-security
Urgency: high
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 742513
Changes: 
 openssh (1:6.0p1-4+deb7u1) stable-security; urgency=high
 .
   * CVE-2014-2532: Disallow invalid characters in environment variable names
     to prevent bypassing AcceptEnv wildcard restrictions.
   * CVE-2014-2653: Attempt SSHFP lookup even if server presents a
     certificate (closes: #742513).
Checksums-Sha1: 
 c29301b88a0b42287196d9226ec8dd7a3ef65a94 2546 openssh_6.0p1-4+deb7u1.dsc
 f691e53ef83417031a2854b8b1b661c9c08e4422 1126034 openssh_6.0p1.orig.tar.gz
 99482673ad9e7bf91e35b9b3dc33201c175f9938 250665 openssh_6.0p1-4+deb7u1.debian.tar.gz
 d9445c880d32720eb8816c41c08d0a8aa482775f 1046342 openssh-client_6.0p1-4+deb7u1_i386.deb
 90d874f067906f0b1868de143ea9810287052063 342718 openssh-server_6.0p1-4+deb7u1_i386.deb
 ffbf200e6712e176d61c20007aac86fe2199abb4 1244 ssh_6.0p1-4+deb7u1_all.deb
 3c28a59246e137b5aa58eb0b4966a5ea21b4984b 89406 ssh-krb5_6.0p1-4+deb7u1_all.deb
 ed2b9a404d3ed7d4be8372c910138ff3a06220e0 97040 ssh-askpass-gnome_6.0p1-4+deb7u1_i386.deb
 49389644b8c39118564b83998cecc48799d7349f 181228 openssh-client-udeb_6.0p1-4+deb7u1_i386.udeb
 2f4fb6c14445e2ba6027a0003af6c3ca5a53ca80 194346 openssh-server-udeb_6.0p1-4+deb7u1_i386.udeb
Checksums-Sha256: 
 1e1760a5f463eefea8f0cb0e2769a73fda6a8814c9cc4c7c7583748fe36dab4f 2546 openssh_6.0p1-4+deb7u1.dsc
 589d48e952d6c017e667873486b5df63222f9133d417d0002bd6429d9bd882de 1126034 openssh_6.0p1.orig.tar.gz
 30a48594c638462418d73399644fb83c463011f26847ffc73253740588511647 250665 openssh_6.0p1-4+deb7u1.debian.tar.gz
 4da98c169fa43fd340b379677d42b65f5b20ff0f2b9da85d254c4c5467d0741d 1046342 openssh-client_6.0p1-4+deb7u1_i386.deb
 ed110509e6fdbbb956579db46a39b2fd05ee98016479b2cc04a6b3d7f317982e 342718 openssh-server_6.0p1-4+deb7u1_i386.deb
 656a17a970aad3898e2098fda3ddb625890882cc8ae166e7b21b9a88b615ba59 1244 ssh_6.0p1-4+deb7u1_all.deb
 444f55a64cb662d32b4afaee6b852962d641dd473326e2a37a348cfbd101fbe4 89406 ssh-krb5_6.0p1-4+deb7u1_all.deb
 b770f505b866048f6df915e6a40d263d2939da9163cd074be8199283832eaf09 97040 ssh-askpass-gnome_6.0p1-4+deb7u1_i386.deb
 1627cdfc64e66493368775a21811e31155201249aa8b10aceb243f650c4cc4f1 181228 openssh-client-udeb_6.0p1-4+deb7u1_i386.udeb
 946bd501a98347092664b9892557061a4d2991f33fd762adac4ed14db92f04b0 194346 openssh-server-udeb_6.0p1-4+deb7u1_i386.udeb
Files: 
 e557e1994c2216f7361448cc9258aa5a 2546 net standard openssh_6.0p1-4+deb7u1.dsc
 3c9347aa67862881c5da3f3b1c08da7b 1126034 net standard openssh_6.0p1.orig.tar.gz
 61f070b4553533e7e32adb9c77b98475 250665 net standard openssh_6.0p1-4+deb7u1.debian.tar.gz
 afd76da5a7f9c4ded8f48eacd8754225 1046342 net standard openssh-client_6.0p1-4+deb7u1_i386.deb
 8ebd11309b27fe734f727e0873e2d9c1 342718 net optional openssh-server_6.0p1-4+deb7u1_i386.deb
 38ca4aa1c65c0002fef941edc3d30a50 1244 net extra ssh_6.0p1-4+deb7u1_all.deb
 a003864e79fdd6ea17af0188f5fbfbe7 89406 oldlibs extra ssh-krb5_6.0p1-4+deb7u1_all.deb
 a55fb38bf65e73bb0b1cfa41f18c453d 97040 gnome optional ssh-askpass-gnome_6.0p1-4+deb7u1_i386.deb
 4aab6a2a7d8ce892b8d293f30111fb70 181228 debian-installer optional openssh-client-udeb_6.0p1-4+deb7u1_i386.udeb
 d3ea30d3b199f72f7ab47dcff4022b1e 194346 debian-installer optional openssh-server-udeb_6.0p1-4+deb7u1_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBUzyZpzk1h9l9hlALAQhb+g/8Cy9JYwe8TkAKR5JAnkGXStPXW9wkZJVB
BMzAIyw6xPja2wz0sCpwXXHVCO+DMzsUAo0ZJ8QAvF/X0Md+QhaXxtXSZoHiU3s7
TOrVSmftenvKUmVcgBiBhqqT98e3rpgpGTL6Uxrihy5LR4oEQ+0XxlVodU55xdq0
N/OXUbl6soSLB4l3L0yPfDuB1p8pZLplzRVLRCGaQzNyrc8u7RUHzZNxnYu+ol4k
Yzp9cFICEYaG0F+ZgICpUXLnvVMbkmKgnPiAv2D70THMJMuwOPhSUV0Td8U6I/5D
VbSyYyhZWm/2kAYByJMSXwCHUbx+UfxOPSwbkC2dRUXifYaLJKBwu2+dNXNexIDX
SXufmIQ9dPjzsDty9RfeMETFCgjXeQsAZdBu5NWZyhU+ZUm+iCx9W1TVx1r7HrKE
Tgprhr1e2XiteIcjq6xO/NT8p6jY2eyWJRJHL/RiZogiwoq/JQOGGcaKSMrMIt1w
QiGTkru9Ud5/QQ3LKFdfyYJsyBTa2yIEshasJ3RZHsxENGg0lEkpmeiDF7o9MbnG
3xtW/6MG4DECYBtIvUn8bUb0GHYtvc0lvqkPGswrZV6YkhwciihfxYwR7Kr53UQA
HMKVf8iafIhfKGprO0oOq9QN2JSv+WtuqPdi+sG6Tmh7aiCQc6Ta7b+5bVHNyf6D
RRg6FLbvbNE=
=Ar4w
-----END PGP SIGNATURE-----

Message #39 received at 742513-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 742513-close@bugs.debian.org

Subject: Bug#742513: fixed in openssh 1:5.5p1-6+squeeze5

Date: Sat, 05 Apr 2014 19:02:32 +0000

Source: openssh
Source-Version: 1:5.5p1-6+squeeze5

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 742513@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 03 Apr 2014 01:05:27 +0100
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source i386 all
Version: 1:5.5p1-6+squeeze5
Distribution: oldstable-security
Urgency: high
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 742513
Changes: 
 openssh (1:5.5p1-6+squeeze5) oldstable-security; urgency=high
 .
   * CVE-2014-2532: Disallow invalid characters in environment variable names
     to prevent bypassing AcceptEnv wildcard restrictions.
   * CVE-2014-2653: Attempt SSHFP lookup even if server presents a
     certificate (closes: #742513).
Checksums-Sha1: 
 1e77c9722cd167691e7d3f4f3bd1cc7b9d6af136 2270 openssh_5.5p1-6+squeeze5.dsc
 361c6335e74809b26ea096b34062ba8ff6c97cd6 1097574 openssh_5.5p1.orig.tar.gz
 d5bdd108f77da5b01cdbbde3d2a5c133fb836d92 241749 openssh_5.5p1-6+squeeze5.debian.tar.gz
 57435eaffa96fae25354c403d9a3050f98f38dd8 883550 openssh-client_5.5p1-6+squeeze5_i386.deb
 63a60365d96212a54bcb60ead6860a85f9095054 298704 openssh-server_5.5p1-6+squeeze5_i386.deb
 e309007e598514044625994cefecf8b1509888f5 1248 ssh_5.5p1-6+squeeze5_all.deb
 24c04bd768c528f49bcfd00739f5bcb2eb22e6b1 96110 ssh-krb5_5.5p1-6+squeeze5_all.deb
 d5c800a5de27008b69120a8905042cf0a08d9a68 103936 ssh-askpass-gnome_5.5p1-6+squeeze5_i386.deb
 911c80d2e57cf46d11c50181f21a87d8f7c471e9 194852 openssh-client-udeb_5.5p1-6+squeeze5_i386.udeb
 71a02ade8f0f09826d6a5ecfdf38b25021290851 218666 openssh-server-udeb_5.5p1-6+squeeze5_i386.udeb
Checksums-Sha256: 
 26a23612902d7134bd8d7ee42c3b5842d30928dd35089fb44a0ba159bd480920 2270 openssh_5.5p1-6+squeeze5.dsc
 36eedd6efe6663186ed23573488670f9b02e34744694e94a9f869b6f25e47e8a 1097574 openssh_5.5p1.orig.tar.gz
 b63c74eb945eaa22e1fcf2a2bfffda271d2c0f086e8a94231320ecfd66e8abc2 241749 openssh_5.5p1-6+squeeze5.debian.tar.gz
 e1a0a0748d7976e452fcd1d38db176bdb0bfc09c59166a405056e8d3799140ef 883550 openssh-client_5.5p1-6+squeeze5_i386.deb
 86324c912df037f2496869849eef3ce353cf4ebec80fdf7342e7f94c93119bcd 298704 openssh-server_5.5p1-6+squeeze5_i386.deb
 a545e13d7be0b6d3765828f40fa862b01a8873d091b9431b34b7f25267b7fd28 1248 ssh_5.5p1-6+squeeze5_all.deb
 9b836bfea8493fdf241ceb5e79ae64d4b55cc0328cf711020b74d46629f64df3 96110 ssh-krb5_5.5p1-6+squeeze5_all.deb
 b7aa0276cb96aa15da1fb0ad3c89eee001bd06f86179134ea4cf2f4b5231d41e 103936 ssh-askpass-gnome_5.5p1-6+squeeze5_i386.deb
 94e56ef409a451cf1d7b305c12a8b82eb7713a16de41da44169f71eeb6c04b0b 194852 openssh-client-udeb_5.5p1-6+squeeze5_i386.udeb
 d2b3e8f2fc7eed0ec674c3bb7acde7102a7cb6235fb6bad50f860d8d0983a1f6 218666 openssh-server-udeb_5.5p1-6+squeeze5_i386.udeb
Files: 
 7735c6c1a4327df923a495700d4ccc10 2270 net standard openssh_5.5p1-6+squeeze5.dsc
 88633408f4cb1eb11ec7e2ec58b519eb 1097574 net standard openssh_5.5p1.orig.tar.gz
 0f3d07d31e509002dc8fca1603b4d35d 241749 net standard openssh_5.5p1-6+squeeze5.debian.tar.gz
 4349a2aae295a3ac29ee3a89553cb608 883550 net standard openssh-client_5.5p1-6+squeeze5_i386.deb
 ead771ecbf265cfc36603daa28507a6f 298704 net optional openssh-server_5.5p1-6+squeeze5_i386.deb
 88becb35e11eba73ba73f3786f328dc0 1248 net extra ssh_5.5p1-6+squeeze5_all.deb
 28324ff443b4c62754f49fb54d9c017c 96110 net extra ssh-krb5_5.5p1-6+squeeze5_all.deb
 e296e474bf66c1dd05f66125ce81b51c 103936 gnome optional ssh-askpass-gnome_5.5p1-6+squeeze5_i386.deb
 a40b1d237a5d845daefcb6394ebb2139 194852 debian-installer optional openssh-client-udeb_5.5p1-6+squeeze5_i386.udeb
 4f1469189e066fdccfa4be325927de86 218666 debian-installer optional openssh-server-udeb_5.5p1-6+squeeze5_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBUzyq9Dk1h9l9hlALAQgAdRAAnJW4mR27q8UnaHp+Hzu8sxnbQzanq5v4
tm2DEvlrWu6RPhyZcSM0QAANRmg6tbEYbbNQOByb2xZXlVKTmwqtezkPNpSibf7T
s1j+t0hTYdp4cT+IIYe/jkvFg153l7qmrnUBxTRnwzQXvriNH8z0cUoPluyGb6Gq
S6zCEAANK/H0C2k10A6BESjqgl1tPXC9BRd35E0lebEgXHijQGCllaQC81DKO72E
BZiNSEfEVuRtEKzgufEM3n9w2NpRFr+IbbIv4hJoEcs9CPmcn1NgIoIN3n8YdMCv
opmNg/hM2C8WWxz7ShDnOm9pvH9n9ag1ttHxKFz0/NS/9haHbfqU2/Hy+oI0TJzN
AYfN22fqUbMWznpf0xoMnKlJMrP3xDyVHRbmecCYfbVnu4apFI4IRMFX0XXwlfjK
f5dbIIqem/EEI3SrDRaU5EsawM2pBE6DInrYpsv80b1v8QYB9cB7xX/RbogAAD1G
Pilqv4PNvmxPluCrRgUJyrB5QT7WyCx3xMOxZfNveQkc7tG0cI/eR3cqF7GaSIh7
Ga6syNmZ9NCktiZZRLXxO943+1ZYq6D4BtH3R0tqzxui529krVGRVthuzVKsTgn2
UVYa4w7UWnB+cwYGdcxIydnCFUDIAPB5j6cTKBBJdAZ7J1/JLXxiOI4lk3jyGExH
E5lTjFfh0w4=
=Vzqh
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.