Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-288-2 openssh

Debian Security Advisory

DLA-288-2 openssh -- LTS security update

Date Reported:

30 Sep 2015

Affected Packages:

openssh

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-5600.

More information:

In Debian LTS (squeeze), the fix for CVE-2015-5600[1] in openssh 1:5.5p1-6+squeeze7 breaks authentication mechanisms that rely on the keyboard-interactive method. Thanks to Colin Watson for making aware of that.

The patch fixing CVE-2015-5600 introduces the field devices_done to the KbdintAuthctxt struct, but does not initialize the field in the kbdint_alloc() function. On Linux, this ends up filling that field with junk data. The result of this are random login failures when keyboard-interactive authentication is used.

This upload of openssh 1:5.5p1-6+squeeze7 to Debian LTS (squeeze) adds that initialization of the `devices_done` field alongside the existing initialization code.

People relying on keyboard-interactive based authentication mechanisms with OpenSSH on Debian squeeze(-lts) systems are recommended to upgrade OpenSSH to 1:5.5p1-6+squeeze7.

[1] https://lists.debian.org/debian-lts-announce/2015/08/msg00001.html

For Debian 6 Squeeze, these issues have been fixed in openssh version 1:5.5p1-6+squeeze7