Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Question about [ GLSA 201512-04 ] OpenSSH
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
homoludens
n00b
n00b


Joined: 14 Jun 2009
Posts: 11

PostPosted: Mon Dec 21, 2015 3:05 pm    Post subject: Question about [ GLSA 201512-04 ] OpenSSH Reply with quote

So... https://security.gentoo.org/glsa/201512-04

Quote:
Affected Packages

Package: net-misc/openssh
Vulnerable: < 7.1_p1-r2
Unaffected: >= 7.1_p1-r2


and:

Quote:
Resolution

All OpenSSH users should upgrade to the latest version:
Code:
# emerge --ask --oneshot --verbose ">=net-misc/openssh-6.9_p1-r2"



How can downgrade help when affected versions are < 7.1_p1-r2?
And latest version in portage is 7.1_p1-r2 (https://packages.gentoo.org/packages/net-misc/openssh)?

Am I missing something?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 44050
Location: 56N 3W

PostPosted: Mon Dec 21, 2015 4:42 pm    Post subject: Reply with quote

homoludens,

The advisory now says,

Code:
 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-misc/openssh-7.1_p1-r2"


Well caught.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3403

PostPosted: Fri Jan 15, 2016 2:59 am    Post subject: Reply with quote

So I see that I upgraded to the good version on Nov 5. 2015. I got the impression that this was a brand new vulnerability, and the fix just came out. The fix looks several months old. Any idea what's up?
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14300

PostPosted: Sat Jan 16, 2016 1:37 am    Post subject: Reply with quote

As I read the Portage git logs, =net-misc/openssh-7.1_p2 was only added 2016-01-14 20:54:48, so you cannot have upgraded to it in November. The vulnerability is quite old. It is present in OpenSSH 5.4 and later.
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3403

PostPosted: Sat Jan 16, 2016 3:17 am    Post subject: Reply with quote

Oops, looked again, and it's _p1-r2, and I did upgrade to it in November, from /var/log/portage :
Code:
-rw-rw---- 1 portage portage      3198 Nov  5 12:26 net-misc:openssh-6.9_p1-r2:20151105-172625.log
-rw-rw---- 1 portage portage    215721 Nov  5 12:26 net-misc:openssh-7.1_p1-r2:20151105-172528.log


Wait a minute... From the advisory, as homoludens says:
Code:
Unaffected versions    >= 7.1_p1-r2


And that's what I've got installed. Looks like a typo in the security advisory, to me.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum