UbuntuUpdates.org

Package "openssh"

Name: openssh

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • secure shell client and server (transitional package)

Latest version: 1:6.6p1-2ubuntu2.13
Release: trusty (14.04)
Level: updates
Repository: universe

Links



Other versions of "openssh" in Trusty

Repository Area Version
base universe 1:6.6p1-2ubuntu1
base main 1:6.6p1-2ubuntu1
security universe 1:6.6p1-2ubuntu2.13
security main 1:6.6p1-2ubuntu2.13
updates main 1:6.6p1-2ubuntu2.13

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1:6.6p1-2ubuntu2.7 2016-05-09 22:06:40 UTC

  openssh (1:6.6p1-2ubuntu2.7) trusty-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via environment files when
    UseLogin is configured
    - debian/patches/CVE-2015-8325.patch: ignore PAM environment vars when
      UseLogin is enabled in session.c.
    - CVE-2015-8325
  * SECURITY UPDATE: fallback from untrusted X11-forwarding to trusted
    - debian/patches/CVE-2016-1908-1.patch: use stack memory in
      clientloop.c.
    - debian/patches/CVE-2016-1908-2.patch: eliminate fallback in
      clientloop.c, clientloop.h, mux.c, ssh.c.
    - CVE-2016-1908
  * SECURITY UPDATE: shell-command restrictions bypass via crafted X11
    forwarding data
    - debian/patches/CVE-2016-3115.patch: sanitise characters destined for
      xauth in session.c.
    - CVE-2016-3115

 -- Marc Deslauriers <email address hidden> Thu, 05 May 2016 08:29:07 -0400

Source diff to previous version
CVE-2015-8325 ignore PAM environment vars when UseLogin=yes
CVE-2016-1908 Eliminate the fallback from untrusted X11-forwarding to trusted forwarding for cases when the X server disables the SECURITY extension
CVE-2016-3115 Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-comman

Version: 1:6.6p1-2ubuntu2.6 2016-02-05 00:06:41 UTC

  openssh (1:6.6p1-2ubuntu2.6) trusty; urgency=medium

  * debian/control, debian/rules: enable libaudit support. (LP: #1478087)

Source diff to previous version

Version: 1:6.6p1-2ubuntu2.4 2016-01-14 17:07:02 UTC

  openssh (1:6.6p1-2ubuntu2.4) trusty-security; urgency=medium

  * SECURITY UPDATE: information leak and overflow in roaming support
    - debian/patches/CVE-2016-077x.patch: completely disable roaming option
      in readconf.c.
    - CVE-2016-0777
    - CVE-2016-0778

 -- Marc Deslauriers Wed, 13 Jan 2016 10:48:19 -0500

Source diff to previous version

Version: 1:6.6p1-2ubuntu2.3 2015-08-18 15:07:33 UTC

  openssh (1:6.6p1-2ubuntu2.3) trusty-security; urgency=medium

  * SECURITY REGRESSION: random auth failures because of uninitialized
    struct field (LP: #1485719)
    - debian/patches/CVE-2015-5600-2.patch:

 -- Marc Deslauriers Mon, 17 Aug 2015 21:52:52 -0400

Source diff to previous version
1485719 Uninitialized struct field in the fix for CVE-2015-5600 causes random auth failures
CVE-2015-5600 The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive dev

Version: 1:6.6p1-2ubuntu2.2 2015-08-14 17:06:45 UTC

  openssh (1:6.6p1-2ubuntu2.2) trusty-security; urgency=medium

  * SECURITY UPDATE: possible user impersonation via PAM support
    - debian/patches/pam-security-1.patch: don't resend username to PAM in
      monitor.c, monitor_wrap.c.
    - CVE number pending
  * SECURITY UPDATE: use-after-free in PAM support
    - debian/patches/pam-security-2.patch: fix use after free in monitor.c.
    - CVE number pending
  * SECURITY UPDATE:
    - debian/patches/CVE-2015-5600.patch: only query each
      keyboard-interactive device once per authentication request in
      auth2-chall.c.
    - CVE-2015-5600
  * SECURITY UPDATE: X connections access restriction bypass
    - debian/patches/CVE-2015-5352.patch: refuse ForwardX11Trusted=no
      connections attempted after ForwardX11Timeout expires in channels.c,
      channels.h, clientloop.c.
    - CVE-2015-5352

 -- Marc Deslauriers Fri, 14 Aug 2015 07:31:00 -0400

CVE-2015-5600 The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive dev
CVE-2015-5352 The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadli



About   -   Send Feedback to @ubuntu_updates