[SECURITY-L] OpenSSH vulnerabilities

CSIRT Unicamp security em unicamp.br
Sex Ago 14 13:24:55 -03 2015 

-------- Forwarded Message --------
Assunto: 	[USN-2710-1] OpenSSH vulnerabilities
Data: 	Fri, 14 Aug 2015 11:41:46 -0400
De: 	Marc Deslauriers <marc.deslauriers em canonical.com>
Responder a: 	ubuntu-users em lists.ubuntu.com, Ubuntu Security
<security em ubuntu.com>
Para: 	ubuntu-security-announce em lists.ubuntu.com



==========================================================================
Ubuntu Security Notice USN-2710-1
August 14, 2015

openssh vulnerabilities
==========================================================================


Summary:

Several security issues were fixed in OpenSSH.

Software Description:
- openssh: secure shell (SSH) for secure access to remote machines

Details:

Moritz Jodeit discovered that OpenSSH incorrectly handled usernames when
using PAM authentication. If an additional vulnerability were discovered in
the OpenSSH unprivileged child process, this issue could allow a remote
attacker to perform user impersonation. (CVE number pending)

Moritz Jodeit discovered that OpenSSH incorrectly handled context memory
when using PAM authentication. If an additional vulnerability were
discovered in the OpenSSH unprivileged child process, this issue could
allow a remote attacker to bypass authentication or possibly execute
arbitrary code. (CVE number pending)

Jann Horn discovered that OpenSSH incorrectly handled time windows for
X connections. A remote attacker could use this issue to bypass certain
access restrictions. (CVE-2015-5352)

It was discovered that OpenSSH incorrectly handled keyboard-interactive
authentication. In a non-default configuration, a remote attacker could
possibly use this issue to perform a brute-force password attack.
(CVE-2015-5600)


References:
  http://www.ubuntu.com/usn/usn-2710-1
  CVE-2015-5352, CVE-2015-5600

-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20150814/e3c297a7/attachment.html>
-------------- Próxima Parte ----------
-- 
ubuntu-security-announce mailing list
ubuntu-security-announce em lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

Mais detalhes sobre a lista de discussão SECURITY-L