Описание
ELSA-2015-0425: openssh security, bug fix and enhancement update (MODERATE)
[6.6.1p1-11 + 0.9.3-9]
- fix direction in CRYPTO_SESSION audit message (#1171248)
[6.6.1p1-10 + 0.9.3-9]
- add new option GSSAPIEnablek5users and disable using ~/.k5users by default CVE-2014-9278 (#1169843)
[6.6.1p1-9 + 0.9.3-9]
- log via monitor in chroots without /dev/log (#1083482)
[6.6.1p1-8 + 0.9.3-9]
- increase size of AUDIT_LOG_SIZE to 256 (#1171163)
- record pfs= field in CRYPTO_SESSION audit event (#1171248)
[6.6.1p1-7 + 0.9.3-9]
- fix gsskex patch to correctly handle MONITOR_REQ_GSSSIGN request (#1118005)
[6.6.1p1-6 + 0.9.3-9]
- correct the calculation of bytes for authctxt->krb5_ccname ams@corefiling.com (#1161073)
[6.6.1p1-5 + 0.9.3-9]
- change audit trail for unknown users (#1158521)
[6.6.1p1-4 + 0.9.3-9]
- revert the default of KerberosUseKuserok back to yes
- fix kuserok patch which checked for the existence of .k5login unconditionally and hence prevented other mechanisms to be used properly
[6.6.1p1-3 + 0.9.3-9]
- fix parsing empty options in sshd_conf
- ignore SIGXFSZ in postauth monitor
[6.6.1p1-2 + 0.9.3-9]
- slightly change systemd units logic - use sshd-keygen.service (#1066615)
- log when a client requests an interactive session and only sftp is allowed (#1130198)
- sshd-keygen - don't generate DSA and ED25519 host keys in FIPS mode (#1143867)
[6.6.1p1-1 + 0.9.3-9]
- new upstream release (#1059667)
- prevent a server from skipping SSHFP lookup - CVE-2014-2653 (#1081338)
- make /etc/ssh/moduli file public (#1134448)
- test existence of /etc/ssh/ssh_host_ecdsa_key in sshd-keygen.service
- don't clean up gssapi credentials by default (#1134447)
- ssh-agent - try CLOCK_BOOTTIME with fallback (#1134449)
- disable the curve25519 KEX when speaking to OpenSSH 6.5 or 6.6
- add support for ED25519 keys to sshd-keygen and sshd.sysconfig
- standardise on NI_MAXHOST for gethostname() string lengths (#1097665)
- set a client's address right after a connection is set (mindrot#2257) (#912792)
- apply RFC3454 stringprep to banners when possible (mindrot#2058) (#1104662)
- don't consider a partial success as a failure (mindrot#2270) (#1112972)
Обновленные пакеты
Oracle Linux 7
Oracle Linux x86_64
openssh
6.6.1p1-11.el7
openssh-askpass
6.6.1p1-11.el7
openssh-clients
6.6.1p1-11.el7
openssh-keycat
6.6.1p1-11.el7
openssh-ldap
6.6.1p1-11.el7
openssh-server
6.6.1p1-11.el7
openssh-server-sysvinit
6.6.1p1-11.el7
pam_ssh_agent_auth
0.9.3-9.11.el7
Связанные CVE
Связанные уязвимости
The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login.
The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login.
The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login.
The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 a ...
The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.