Your message dated Thu, 14 Jan 2016 16:05:37 +0000
with message-id <[email protected]>
and subject line Bug#810984: fixed in openssh 1:7.1p2-1
has caused the Debian Bug report #810984,
regarding openssh-client: CVE-2016-0777
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
810984: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810984
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssh-client
Version: 1:7.1p1-6
Severity: critical
Tags: security
Justification: root security hole
Hey.
You probably know about this already, but just in case not:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034679.html
Cheers,
Chris.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.3.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-client depends on:
ii adduser 3.113+nmu3
ii dpkg 1.18.4
ii libc6 2.21-6
ii libedit2 3.1-20150325-1+b1
ii libgssapi-krb5-2 1.13.2+dfsg-4
ii libselinux1 2.4-3
ii libssl1.0.2 1.0.2e-1
ii passwd 1:4.2-3.1
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages openssh-client recommends:
ii xauth 1:1.0.9-1
Versions of packages openssh-client suggests:
pn keychain <none>
pn libpam-ssh <none>
pn monkeysphere <none>
pn ssh-askpass <none>
-- Configuration Files:
/etc/ssh/ssh_config changed [not included]
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:7.1p2-1
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 14 Jan 2016 15:28:03 +0000
Source: openssh
Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server
ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.1p2-1
Distribution: unstable
Urgency: high
Maintainer: Debian OpenSSH Maintainers <[email protected]>
Changed-By: Colin Watson <[email protected]>
Description:
openssh-client - secure shell (SSH) client, for secure access to remote
machines
openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell (SSH) server, for secure access from remote
machines
openssh-server-udeb - secure shell server for the Debian installer (udeb)
openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access
from remot
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for
ssh-ad
ssh-krb5 - secure shell client and server (transitional package)
Closes: 810984
Changes:
openssh (1:7.1p2-1) unstable; urgency=high
.
* New upstream release (http://www.openssh.com/txt/release-7.1p2):
- CVE-2016-0777, CVE-2016-0778: Disable experimental client-side support
for roaming, which could be tricked by a malicious server into leaking
client memory to the server, including private client user keys; this
information leak is restricted to connections to malicious or
compromised servers (closes: #810984).
- SECURITY: Fix an out of-bound read access in the packet handling code.
Reported by Ben Hawkes.
- Further use of explicit_bzero has been added in various buffer
handling code paths to guard against compilers aggressively doing
dead-store removal.
Checksums-Sha1:
89b110673f494251c90972f07ee8d2d79d35e91a 2835 openssh_7.1p2-1.dsc
9202f5a2a50c8a55ecfb830609df1e1fde97f758 1475829 openssh_7.1p2.orig.tar.gz
f7a906cafdb5c148086c7a245f5a267996552a5d 148576 openssh_7.1p2-1.debian.tar.xz
Checksums-Sha256:
a1f6b01e2229f167f35e5f5378181f3d931196919efa1a8c379709686c79a639 2835
openssh_7.1p2-1.dsc
dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd 1475829
openssh_7.1p2.orig.tar.gz
349d952bd32dbce1191deb3cd79b37d5380610766a3b047eb2f295f228ce8b50 148576
openssh_7.1p2-1.debian.tar.xz
Files:
dd0ef27249e07ef1e16066ea7762622f 2835 net standard openssh_7.1p2-1.dsc
4d8547670e2a220d5ef805ad9e47acf2 1475829 net standard openssh_7.1p2.orig.tar.gz
413eee29fec1fa26546265c5e2eef4cf 148576 net standard
openssh_7.1p2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Colin Watson <[email protected]> -- Debian developer
iQIVAwUBVpe+izk1h9l9hlALAQgy0g/+PVFmowkheu+LuvXdus9NmQK4l5nxFOXz
Qkxcc41/speKhMYZK2sUYvRx7H/PlPW+Sorpqs+l9p5V9pVrgN3PWnf4iMZkSK6J
bt0OWM2KjUXkL9u3hpotoX8ZfvuZqjVxrqrnPNUV46lvD1qryLPtlWXGMAySwdA3
txpyUTpNTV7fFnsqzEqd1xEd5nC/Aa/QBfqTZAToNWpTipec+UEWJX8gimDoDInw
IdDcWvE/Bxvrath2TYsN5mKUIIfpPMtx0mD0CI/wB+r6NgtMVU9G6iYaWxrHlZ10
AHo9sSwa9AO9BDe1mL8+7sYPsXqackno8vZeYVmzB2b4SdPKGFJlfgLpfRSolHtM
83lj0mLK1DxL2GJRVs1GL0EzgBWU9oc32KxnfbeqyNYVglDP6I/Wdxz8kX+a/xcT
ewLQK8wVblANVuYIXIbeqcWETZh3mhtij0hDSEr9NfT74uZ6loZ+gEqN/BfSN8yT
9I+UUXKUABQYdFWOdeZbvBTs9EBNQbuAu8CXW8HUM9dgJI3pW6/QS3YqEl+WE5fm
fj86xANwgHTJChcS4TVmnMmhnQhhdzDnxyJ77QoeiPYReGFX1ApjrBrYpTk85L2/
3asonayCpL0vtjf/7dsRKkRDsMpgz3POnCYk9qy0V29EhlxMK6QFK4il9+/9SugD
XTnsEUgwdhI=
=Bku6
-----END PGP SIGNATURE-----
--- End Message ---
