openssh-5.3p1-114.AXS4
エラータID: AXSA:2016-145:01
リリース日:
2016/03/22 Tuesday - 04:58
題名:
openssh-5.3p1-114.AXS4
影響のあるチャネル:
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- OpenSSH の sshd の auth2-chall.c の kbdint_next_device 関数は,単一
の接続内での複数のキーボード対話型デバイスの処理を制限しておらず,ssh
-oKbdInteractiveDevices オプションのリストが長い,あるいはリストが重複し
ていることによって,リモートの攻撃者がブルートフォース攻撃を行う,あるいは
サービス拒否 (CPU の消費) を引き起こしやすくする脆弱性があります。
(CVE-2015-5600)
- OpenSSH には,複数の CRLF インジェクション脆弱性が存在し,(1)
do_authenticated1,(2) session_x11_req 関数に関連する巧妙に細工された
X11 フォワーディングデータによって,リモートの認証されたユーザが,意図し
たシェルコマンドの制限を回避する脆弱性があります。(CVE-2016-3115)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2015-5600
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
CVE-2016-3115
Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.
Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.
追加情報:
N/A
ダウンロード:
SRPMS
- openssh-5.3p1-114.AXS4.src.rpm
MD5: 9ebf0bd3429b60fc3b8891443d798cf4
SHA-256: 671f8173a1396c1c92c9b5ca6660dbd5d544f7df974f8ac5a490c9938dac1c25
Size: 1.43 MB
Asianux Server 4 for x86
- openssh-5.3p1-114.AXS4.i686.rpm
MD5: 07fed98e9319720a0c38500d2c1160a8
SHA-256: 888d08ccaf1c737ca0b18cbcbd928c07ee3cc4261d1602b5a56100a61f3c4f3c
Size: 276.18 kB - openssh-askpass-5.3p1-114.AXS4.i686.rpm
MD5: 0fa0b71afc9e32f7630dc97ce2268421
SHA-256: e0c4f0bc979ed8f91d784e3992e66322bf3b8d450643aecb94cad504ed7f9dbe
Size: 57.98 kB - openssh-clients-5.3p1-114.AXS4.i686.rpm
MD5: d4ffbf0d5b7abc359d848468c35cac2b
SHA-256: cc6debef6ba7ceb7e7a23da2b6693ce013a5b2e005a287bdf02d971775d96539
Size: 444.55 kB - openssh-server-5.3p1-114.AXS4.i686.rpm
MD5: 20ae95099cdb403163e5b0b42c6e163d
SHA-256: 9a2eea024ec2019b8e0f107d68135d4f78970078ecae19ce322704cf6c15722d
Size: 322.33 kB
Asianux Server 4 for x86_64
- openssh-5.3p1-114.AXS4.x86_64.rpm
MD5: d8df20bd224283b6f72f74b0cf6a46ce
SHA-256: 75814a7a8d98bbe370ccdbe15faea8f6fb75093c94525179faa68920ccd36fc2
Size: 273.30 kB - openssh-askpass-5.3p1-114.AXS4.x86_64.rpm
MD5: 309129d99e06e8cb8f8c4b45b2ada913
SHA-256: 196db5da14c9502a82805496e57a9878e14a6205216aa476bb8bde3e84e48a9d
Size: 57.71 kB - openssh-clients-5.3p1-114.AXS4.x86_64.rpm
MD5: 87e622a58f6d0727b95eff83da6ab982
SHA-256: 6351ac333275c006fea4fa7fb30789a5a2c6773395165aa78b8a77e064856c31
Size: 437.71 kB - openssh-server-5.3p1-114.AXS4.x86_64.rpm
MD5: 3b58c32335f53a42369a14154476123a
SHA-256: 18345e62a3b62addc3657414ec58e183bed516060c800cb2b51c230afe704f6c
Size: 323.34 kB