Synopsis: Moderate: openssh security, bug fix and enhancement update
Advisory ID: SLSA-2015:0425-2
Issue Date: 2015-03-05
CVE Numbers: CVE-2014-2653
It was discovered that OpenSSH clients did not correctly verify DNS SSHFP
records. A malicious server could use this flaw to force a connecting
client to skip the DNS SSHFP record check and require the user to perform
manual host verification of the DNS SSHFP record. (CVE-2014-2653)
It was found that when OpenSSH was used in a Kerberos environment, remote
authenticated users were allowed to log in as a different user if they
were listed in the ~/.k5users file of that user, potentially bypassing
intended authentication restrictions. (CVE-2014-9278)
The openssh packages have been upgraded to upstream version 6.6.1, which
provides a number of bug fixes and enhancements over the previous version.
* An existing /dev/log socket is needed when logging using the syslog
utility, which is not possible for all chroot environments based on the
user’s home directories. As a consequence, the sftp commands were not
logged in the chroot setup without /dev/log in the internal sftp
subsystem. With this update, openssh has been enhanced to detect whether
/dev/log exists. If /dev/log does not exist, processes in the chroot
environment use their master processes for logging.
* The buffer size for a host name was limited to 64 bytes. As a
consequence, when a host name was 64 bytes long or longer, the ssh-keygen
utility failed. The buffer size has been increased to fix this bug, and
ssh-keygen no longer fails in the described situation.
* Non-ASCII characters have been replaced by their octal representations
in banner messages in order to prevent terminal re-programming attacks.
Consequently, banners containing UTF-8 strings were not correctly
displayed in a client. With this update, banner messages are processed
according to RFC 3454, control characters have been removed, and banners
containing UTF-8 strings are now displayed correctly.
* Scientific Linux uses persistent Kerberos credential caches, which are
shared between sessions. Previously, the GSSAPICleanupCredentials option
was set to “yes” by default. Consequently, removing a Kerberos cache on
logout could remove unrelated credentials of other sessions, which could
make the system unusable. To fix this bug, GSSAPICleanupCredentials is set
by default to “no”.
* Access permissions for the /etc/ssh/moduli file were set to 0600, which
was unnecessarily strict. With this update, the permissions for
/etc/ssh/moduli have been changed to 0644 to make the access to the file
* Due to the KRB5CCNAME variable being truncated, the Kerberos ticket
cache was not found after login using a Kerberos-enabled SSH connection.
The underlying source code has been modified to fix this bug, and Kerberos
authentication works as expected in the described situation.
* When the sshd daemon is configured to force the internal SFTP session, a
connection other then SFTP is used, the appropriate message is logged to
the /var/log/secure file.
* The sshd-keygen service was run using the “ExecStartPre=-/usr/sbin/sshd-
keygen” option in the sshd.service unit file. With this update, the
separate sshd-keygen.service unit file has been added, and sshd.service
has been adjusted to require sshd-keygen.service.
– Scientific Linux Development Team