Security update for openssh

SUSE Security Update: Security update for openssh
Announcement ID: SUSE-SU-2016:2388-1
Rating: moderate
References: #932483 #948902 #959096 #962313 #962794 #970632 #975865 #981654 #989363 #992533
Affected Products:
  • SUSE OpenStack Cloud 5
  • SUSE Manager Proxy 2.1
  • SUSE Manager 2.1
  • SUSE Linux Enterprise Server 11-SP3-LTSS
  • SUSE Linux Enterprise Point of Sale 11-SP3
  • SUSE Linux Enterprise Debuginfo 11-SP3

  • An update that solves 5 vulnerabilities and has 5 fixes is now available.

    Description:


    This update for OpenSSH fixes the following issues:

    - Prevent user enumeration through the timing of password processing.
    (bsc#989363, CVE-2016-6210)
    - Allow lowering the DH groups parameter limit in server as well as when
    GSSAPI key exchange is used. (bsc#948902)
    - Sanitize input for xauth(1). (bsc#970632, CVE-2016-3115)
    - Prevent X11 SECURITY circumvention when forwarding X11 connections.
    (bsc#962313, CVE-2016-1908)
    - Disable DH parameters under 2048 bits by default and allow lowering the
    limit back to the RFC 4419 specified minimum through an option.
    (bsc#932483, bsc#948902)
    - Ignore PAM environment when using login. (bsc#975865, CVE-2015-8325)
    - Limit the accepted password length (prevents a possible denial of
    service). (bsc#992533, CVE-2016-6515)
    - Relax version requires for the openssh-askpass sub-package. (bsc#962794)
    - Avoid complaining about unset DISPLAY variable. (bsc#981654)
    - Initialize message id to prevent connection breakups in some cases.
    (bsc#959096)

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE OpenStack Cloud 5:
      zypper in -t patch sleclo50sp3-openssh-12759=1
    • SUSE Manager Proxy 2.1:
      zypper in -t patch slemap21-openssh-12759=1
    • SUSE Manager 2.1:
      zypper in -t patch sleman21-openssh-12759=1
    • SUSE Linux Enterprise Server 11-SP3-LTSS:
      zypper in -t patch slessp3-openssh-12759=1
    • SUSE Linux Enterprise Point of Sale 11-SP3:
      zypper in -t patch sleposp3-openssh-12759=1
    • SUSE Linux Enterprise Debuginfo 11-SP3:
      zypper in -t patch dbgsp3-openssh-12759=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE OpenStack Cloud 5 (x86_64):
      • openssh-6.2p2-0.33.2
      • openssh-askpass-6.2p2-0.33.2
      • openssh-askpass-gnome-6.2p2-0.33.5
    • SUSE Manager Proxy 2.1 (x86_64):
      • openssh-6.2p2-0.33.2
      • openssh-askpass-6.2p2-0.33.2
      • openssh-askpass-gnome-6.2p2-0.33.5
    • SUSE Manager 2.1 (s390x x86_64):
      • openssh-6.2p2-0.33.2
      • openssh-askpass-6.2p2-0.33.2
      • openssh-askpass-gnome-6.2p2-0.33.5
    • SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64):
      • openssh-6.2p2-0.33.2
      • openssh-askpass-6.2p2-0.33.2
      • openssh-askpass-gnome-6.2p2-0.33.5
    • SUSE Linux Enterprise Point of Sale 11-SP3 (i586):
      • openssh-6.2p2-0.33.2
      • openssh-askpass-6.2p2-0.33.2
      • openssh-askpass-gnome-6.2p2-0.33.5
    • SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64):
      • openssh-askpass-gnome-debuginfo-6.2p2-0.33.5
      • openssh-debuginfo-6.2p2-0.33.2
      • openssh-debugsource-6.2p2-0.33.2

    References: