Security update for openssh

SUSE Security Update: Security update for openssh
Announcement ID: SUSE-SU-2016:1528-1
Rating: moderate
References: #729190 #932483 #948902 #960414 #961368 #961494 #962313 #965576 #970632 #975865
Affected Products:
  • SUSE Linux Enterprise Server 11-SP4
  • SUSE Linux Enterprise Debuginfo 11-SP4

  • An update that solves three vulnerabilities and has 7 fixes is now available.


    openssh was updated to fix three security issues.

    These security issues were fixed:
    - CVE-2016-3115: Multiple CRLF injection vulnerabilities in session.c in
    sshd in OpenSSH allowed remote authenticated users to bypass intended
    shell-command restrictions via crafted X11 forwarding data, related to
    the (1) do_authenticated1 and (2) session_x11_req functions
    - CVE-2016-1908: Possible fallback from untrusted to trusted X11
    forwarding (bsc#962313).
    - CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes

    These non-security issues were fixed:
    - Correctly parse GSSAPI KEX algorithms (bsc#961368)
    - More verbose FIPS mode/CC related documentation in README.FIPS
    (bsc#965576, bsc#960414)
    - Fix PRNG re-seeding (bsc#960414, bsc#729190)
    - Disable DH parameters under 2048 bits by default and allow lowering the
    limit back to the RFC 4419 specified minimum through an option
    (bsc#932483, bsc#948902)
    - Allow empty Match blocks (bsc#961494)

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Server 11-SP4:
      zypper in -t patch slessp4-openssh-12603=1
    • SUSE Linux Enterprise Debuginfo 11-SP4:
      zypper in -t patch dbgsp4-openssh-12603=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64):
      • openssh-6.6p1-21.1
      • openssh-askpass-gnome-6.6p1-21.3
      • openssh-fips-6.6p1-21.1
      • openssh-helpers-6.6p1-21.1
    • SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):
      • openssh-askpass-gnome-debuginfo-6.6p1-21.3
      • openssh-debuginfo-6.6p1-21.1
      • openssh-debugsource-6.6p1-21.1