/ Register

Join the community today
Become a Member

Security OpenSSH Security Bug CVE-2016-0777 & CVE-2016-0778

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jan 15, 2016.

Tags:
Previous Thread Next Thread
Loading...
Page 1 of 2
  1. Jan 15, 2016 #1
    eva2000

    eva2000 Administrator Staff Member

    54,873
    12,239
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,810
    Local Time:
    6:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    OpenSSH client end security vulnerability posted on WHT forums at OpenSSH: client bug CVE-2016-0777. Related to CVE-2016-0777 and CVE-2016-0778

    Workaround



    For CentOS 7.x only, workaround for now until OpenSSH gets updated by Redhat/CentOS, is disabling UseRoaming in ssh client config file by adding (appending) the variable to end of the ssh_config file
    Code:
    echo 'UseRoaming no' >> /etc/ssh/ssh_config
    or for SSH client end

    Other info links


    Updated OpenSSH packages



    Redhat 7 openssh updated packages have been released Red Hat Customer Portal
    Code:
    x86_64:
openssh-6.6.1p1-23.el7_2.x86_64.rpm        MD5: 4107b3d61b0b4d19fd75cffad0e1edc9
SHA-256: 02d5c25c03028e6588712df36cfae11a67ce0c1d82053793fbec018b55f04b81
openssh-askpass-6.6.1p1-23.el7_2.x86_64.rpm        MD5: 67d38d185180f37a555f9da72e350bd0
SHA-256: c08b486cb3457d13f67bdbac0b526b9d82225da2afb1b8e65658492a33e843b7
openssh-clients-6.6.1p1-23.el7_2.x86_64.rpm        MD5: 58efb3d2a957c648d614bd138c24feba
SHA-256: 7bf43948bf45a903398ba8bfb1959790138903047d21a0e7ed1b3a269ddcbf65
openssh-debuginfo-6.6.1p1-23.el7_2.i686.rpm        MD5: 4573e92cc76a0e44b347872db97f39d3
SHA-256: 0911be36881144e368b2b3e50933fcc024a7c708c9552327ac433b9e23438abb
openssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm        MD5: 21e96ad2ca7a1445c29a5f55ddf173fc
SHA-256: 2495f2fbaf4f04e62e32ea1c2bcb3b1c084dafe9a50a9831844c9f1921546266
openssh-keycat-6.6.1p1-23.el7_2.x86_64.rpm        MD5: 03f8800c1e572738f8cddb583a5c2e69
SHA-256: 3ec6f587eec4ed7862ede492ed56b2c8253892e2a2c1441b7a0b473036e982db
openssh-ldap-6.6.1p1-23.el7_2.x86_64.rpm        MD5: bd612582cdba007dd6e1d1fa23f0ae86
SHA-256: afa29af34b161058475ef03f712eeaec73780ea781c217d6d5cb1362ce32851b
openssh-server-6.6.1p1-23.el7_2.x86_64.rpm        MD5: 657a6e2905519d719213faf61709b4d9
SHA-256: 057db9c007eed0a70b0ae77837d19566f2f36c83cdbbcd5a3545c30af99eca43
openssh-server-sysvinit-6.6.1p1-23.el7_2.x86_64.rpm        MD5: 187cc40d72ffd3045425aba0f0780974
SHA-256: f830fe2abf109d195545716e6844385ada6f240f0e04d54dbbe5df21fa8f8535
pam_ssh_agent_auth-0.9.3-9.23.el7_2.i686.rpm        MD5: b7138a12fe05f4a97da642067f43ca29
SHA-256: 96c195fff319a3058bd3590244a2a03a107afb3435ff77c01e46fff63cee1811
pam_ssh_agent_auth-0.9.3-9.23.el7_2.x86_64.rpm        MD5: 29dd7de78c7d393ad2ac33a5d9036f2e
SHA-256: 3e464afd2da795562905c918a0f9571c2b6721a3f3f03f2965dfcc840849d5ee
    For CentOS 7
    Code:
    yum -q list updates
Updated Packages
openssh.x86_64          6.6.1p1-23.el7_2                                                                                                       updates
openssh-clients.x86_64         6.6.1p1-23.el7_2                                                                                                       updates
openssh-server.x86_64         6.6.1p1-23.el7_2                                                                                                       updates
    After update command
    Code:
    yum -y update
    Code:
     yum -q list installed openssh*
Installed Packages
openssh.x86_64         6.6.1p1-23.el7_2                                                                                                      @updates
openssh-clients.x86_64         6.6.1p1-23.el7_2                                                                                                      @updates
openssh-server.x86_64         6.6.1p1-23.el7_2                                                                                                      @updates
    openssh changelog
    Code:
    rpm -qa --changelog openssh | head -n4
* Wed Jan 13 2016 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-23 + 0.9.3-9
- Disable undocumented feauture Roaming for good (#1298218)
- prevents CVE-2016-0777 and CVE-2016-0778
     
    Last edited: Jan 17, 2016
  2. Jan 15, 2016 #2
    negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    10:59 PM
    1.9.10
    10.1.11
    Thank you, applied
     
  3. Jan 15, 2016 #3
    rdan

    rdan Well-Known Member

    5,447
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    4:59 AM
    Mainline
    10.2
    I have all my server as shortcut on my desktop only, and auto login on shell.
    So commands for me :D
     
  4. Jan 15, 2016 #4
    eva2000

    eva2000 Administrator Staff Member

    54,873
    12,239
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,810
    Local Time:
    6:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Redhat's entry at CVE-2016-0777 - Red Hat Customer Portal

    Looks like Redhat and thus CentOS 4, 5, 6 are not affected only Redhat and CentOS 7 and only in non-default configurations
     
  5. Jan 15, 2016 #5
    eva2000

    eva2000 Administrator Staff Member

    54,873
    12,239
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,810
    Local Time:
    6:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    from OpenSSH: Information-leak vulnerability (CVE-2016-0777) - Red Hat Customer Portal
     
  6. Jan 15, 2016 #6
    eva2000

    eva2000 Administrator Staff Member

    54,873
    12,239
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,810
    Local Time:
    6:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    CentOS 7.2 is using openssh 6.6.1p1-22
    Code:
    rpm -qa openssh
openssh-6.6.1p1-22.el7.x86_64
    waiting for updated openssh package for CentOS 7 I guess
    Code:
    rpm -qa --changelog openssh | head -n5
* Fri Sep 25 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-22 + 0.9.3-9
- Use the correct constant for glob limits (#1160377)

* Thu Sep 24 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-21 + 0.9.3-9
- Extend memory limit for remote glob in sftp acc. to stat limit (#116037
    no updates available in continuous release or fasttrack yum repos either
    Code:
    yum list updates --enablerepo=cr,fasttrack --disableplugin=priorities
     
    Last edited: Jan 15, 2016
  7. Jan 15, 2016 #7
    Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    4:59 PM
    Thanks for the heads up.
     
  8. Jan 15, 2016 #8
    hardousse

    hardousse Active Member

    169
    35
    28
    Dec 15, 2015
    Sweden
    Ratings:
    +57
    Local Time:
    10:59 PM
    1.11.*
    10.1*
    Thank you, applied
     
  9. Jan 15, 2016 #9
    rdan

    rdan Well-Known Member

    5,447
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    4:59 AM
    Mainline
    10.2
    WoW, very quick update from Linux Mint :D
    upload_2016-1-15_0-51-34.png
     
  10. Jan 15, 2016 #10
    eva2000

    eva2000 Administrator Staff Member

    54,873
    12,239
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,810
    Local Time:
    6:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    oh there's a CVE-2016-0778 too CVE-2016-0778 - Red Hat Customer Portal ! again only Redhat/CentOS 7 affected

     
  11. Jan 15, 2016 #11
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    9:59 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    Applied, thanks
     
  12. Jan 15, 2016 #12
    eva2000

    eva2000 Administrator Staff Member

    54,873
    12,239
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,810
    Local Time:
    6:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  13. Jan 15, 2016 #13
    eva2000

    eva2000 Administrator Staff Member

    54,873
    12,239
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,810
    Local Time:
    6:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Redhat 7 openssh updated packages have been released Red Hat Customer Portal
    Code:
    x86_64:
openssh-6.6.1p1-23.el7_2.x86_64.rpm        MD5: 4107b3d61b0b4d19fd75cffad0e1edc9
SHA-256: 02d5c25c03028e6588712df36cfae11a67ce0c1d82053793fbec018b55f04b81
openssh-askpass-6.6.1p1-23.el7_2.x86_64.rpm        MD5: 67d38d185180f37a555f9da72e350bd0
SHA-256: c08b486cb3457d13f67bdbac0b526b9d82225da2afb1b8e65658492a33e843b7
openssh-clients-6.6.1p1-23.el7_2.x86_64.rpm        MD5: 58efb3d2a957c648d614bd138c24feba
SHA-256: 7bf43948bf45a903398ba8bfb1959790138903047d21a0e7ed1b3a269ddcbf65
openssh-debuginfo-6.6.1p1-23.el7_2.i686.rpm        MD5: 4573e92cc76a0e44b347872db97f39d3
SHA-256: 0911be36881144e368b2b3e50933fcc024a7c708c9552327ac433b9e23438abb
openssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm        MD5: 21e96ad2ca7a1445c29a5f55ddf173fc
SHA-256: 2495f2fbaf4f04e62e32ea1c2bcb3b1c084dafe9a50a9831844c9f1921546266
openssh-keycat-6.6.1p1-23.el7_2.x86_64.rpm        MD5: 03f8800c1e572738f8cddb583a5c2e69
SHA-256: 3ec6f587eec4ed7862ede492ed56b2c8253892e2a2c1441b7a0b473036e982db
openssh-ldap-6.6.1p1-23.el7_2.x86_64.rpm        MD5: bd612582cdba007dd6e1d1fa23f0ae86
SHA-256: afa29af34b161058475ef03f712eeaec73780ea781c217d6d5cb1362ce32851b
openssh-server-6.6.1p1-23.el7_2.x86_64.rpm        MD5: 657a6e2905519d719213faf61709b4d9
SHA-256: 057db9c007eed0a70b0ae77837d19566f2f36c83cdbbcd5a3545c30af99eca43
openssh-server-sysvinit-6.6.1p1-23.el7_2.x86_64.rpm        MD5: 187cc40d72ffd3045425aba0f0780974
SHA-256: f830fe2abf109d195545716e6844385ada6f240f0e04d54dbbe5df21fa8f8535
pam_ssh_agent_auth-0.9.3-9.23.el7_2.i686.rpm        MD5: b7138a12fe05f4a97da642067f43ca29
SHA-256: 96c195fff319a3058bd3590244a2a03a107afb3435ff77c01e46fff63cee1811
pam_ssh_agent_auth-0.9.3-9.23.el7_2.x86_64.rpm        MD5: 29dd7de78c7d393ad2ac33a5d9036f2e
SHA-256: 3e464afd2da795562905c918a0f9571c2b6721a3f3f03f2965dfcc840849d5ee
     
  14. Jan 15, 2016 #14
    eva2000

    eva2000 Administrator Staff Member

    54,873
    12,239
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,810
    Local Time:
    6:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    For CentOS 7
    Code:
    yum -q list updates
Updated Packages
openssh.x86_64          6.6.1p1-23.el7_2                                                                                                       updates
openssh-clients.x86_64         6.6.1p1-23.el7_2                                                                                                       updates
openssh-server.x86_64         6.6.1p1-23.el7_2                                                                                                       updates
    After update command
    Code:
    yum -y update
    Code:
     yum -q list installed openssh*
Installed Packages
openssh.x86_64         6.6.1p1-23.el7_2                                                                                                      @updates
openssh-clients.x86_64         6.6.1p1-23.el7_2                                                                                                      @updates
openssh-server.x86_64         6.6.1p1-23.el7_2                                                                                                      @updates
    openssh changelog
    Code:
    rpm -qa --changelog openssh | head -n4
* Wed Jan 13 2016 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-23 + 0.9.3-9
- Disable undocumented feauture Roaming for good (#1298218)
- prevents CVE-2016-0777 and CVE-2016-0778
     
  15. Jan 15, 2016 #15
    rdan

    rdan Well-Known Member

    5,447
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    4:59 AM
    Mainline
    10.2
    Just updated all my servers :)
     
  16. Jan 15, 2016 #16
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    9:59 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    Done!

    Code:
    [root@tvor-ocean ~]# yum update
Loaded plugins: fastestmirror, priorities
base                                                     | 3.6 kB     00:00    
elasticsearch-2.x                                        | 2.9 kB     00:00    
epel/x86_64/metalink                                     |  28 kB     00:00    
epel                                                     | 4.3 kB     00:00    
extras                                                   | 3.4 kB     00:00    
mariadb                                                  | 2.9 kB     00:00    
rpmforge                                                 | 1.9 kB     00:00    
updates                                                  | 3.4 kB     00:00    
(1/3): epel/x86_64/updateinfo                              | 456 kB   00:00    
epel/x86_64/primary_db         FAILED                                         
http://mirror.23media.de/epel/7/x86_64/repodata/96e9b3b287efbf8ba1144761eff651fe3c74a5bc3b56e4cbc98f43944969e5de-primary.sqlite.xz: [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below knowledge base article

https://access.redhat.com/articles/1320623

If above article doesn't help to resolve this issue please create a bug on https://bugs.centos.org/

(2/3): epel/x86_64/primary_db                              | 3.7 MB   00:00    
(3/3): updates/7/x86_64/primary_db                         | 1.7 MB   00:00    
Loading mirror speeds from cached hostfile
* base: ftp-stud.fht-esslingen.de
* epel: mirror.de.leaseweb.net
* extras: mirror.imt-systems.com
* rpmforge: mirror.de.leaseweb.net
* updates: mirror.de.leaseweb.net
230 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package openssh.x86_64 0:6.6.1p1-22.el7 will be updated
---> Package openssh.x86_64 0:6.6.1p1-23.el7_2 will be an update
---> Package openssh-clients.x86_64 0:6.6.1p1-22.el7 will be updated
---> Package openssh-clients.x86_64 0:6.6.1p1-23.el7_2 will be an update
---> Package openssh-server.x86_64 0:6.6.1p1-22.el7 will be updated
---> Package openssh-server.x86_64 0:6.6.1p1-23.el7_2 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package               Arch         Version                 Repository     Size
================================================================================
Updating:
openssh               x86_64       6.6.1p1-23.el7_2        updates       435 k
openssh-clients       x86_64       6.6.1p1-23.el7_2        updates       639 k
openssh-server        x86_64       6.6.1p1-23.el7_2        updates       436 k

Transaction Summary
================================================================================
Upgrade  3 Packages

Total download size: 1.5 M
Is this ok [y/d/N]: y
Downloading packages:
updates/7/x86_64/prestodelta                               | 129 kB   00:00    
(1/3): openssh-6.6.1p1-23.el7_2.x86_64.rpm                 | 435 kB   00:00    
(2/3): openssh-clients-6.6.1p1-23.el7_2.x86_64.rpm         | 639 kB   00:00    
(3/3): openssh-server-6.6.1p1-23.el7_2.x86_64.rpm          | 436 kB   00:00    
--------------------------------------------------------------------------------
Total                                              4.8 MB/s | 1.5 MB  00:00    
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : openssh-6.6.1p1-23.el7_2.x86_64                              1/6
  Updating   : openssh-server-6.6.1p1-23.el7_2.x86_64                       2/6
  Updating   : openssh-clients-6.6.1p1-23.el7_2.x86_64                      3/6
  Cleanup    : openssh-clients-6.6.1p1-22.el7.x86_64                        4/6
  Cleanup    : openssh-server-6.6.1p1-22.el7.x86_64                         5/6
  Cleanup    : openssh-6.6.1p1-22.el7.x86_64                                6/6
  Verifying  : openssh-server-6.6.1p1-23.el7_2.x86_64                       1/6
  Verifying  : openssh-clients-6.6.1p1-23.el7_2.x86_64                      2/6
  Verifying  : openssh-6.6.1p1-23.el7_2.x86_64                              3/6
  Verifying  : openssh-clients-6.6.1p1-22.el7.x86_64                        4/6
  Verifying  : openssh-6.6.1p1-22.el7.x86_64                                5/6
  Verifying  : openssh-server-6.6.1p1-22.el7.x86_64                         6/6

Updated:
  openssh.x86_64 0:6.6.1p1-23.el7_2                                            
  openssh-clients.x86_64 0:6.6.1p1-23.el7_2                                    
  openssh-server.x86_64 0:6.6.1p1-23.el7_2                                     

Complete!
     
  17. Jan 15, 2016 #17
    eva2000

    eva2000 Administrator Staff Member

    54,873
    12,239
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,810
    Local Time:
    6:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  18. Jan 15, 2016 #18
    Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    4:59 PM
    Might be a little off-topic but what's the current version of Centos 7 or 7.2? I can only seem to dload 7 from the site.
     
  19. Jan 15, 2016 #19
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    9:59 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    7.2
     
  20. Jan 15, 2016 #20
    Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    4:59 PM
    Thanks. Looks like I'm already running 7.2. I should have checked before posting.
     
Previous Thread Next Thread
Loading...
Page 1 of 2

.