[ubuntu/trusty-security] openssh 1:6.6p1-2ubuntu2.7 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Mon May 9 18:34:45 UTC 2016

openssh (1:6.6p1-2ubuntu2.7) trusty-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via environment files when
    UseLogin is configured
    - debian/patches/CVE-2015-8325.patch: ignore PAM environment vars when
      UseLogin is enabled in session.c.
    - CVE-2015-8325
  * SECURITY UPDATE: fallback from untrusted X11-forwarding to trusted
    - debian/patches/CVE-2016-1908-1.patch: use stack memory in
    - debian/patches/CVE-2016-1908-2.patch: eliminate fallback in
      clientloop.c, clientloop.h, mux.c, ssh.c.
    - CVE-2016-1908
  * SECURITY UPDATE: shell-command restrictions bypass via crafted X11
    forwarding data
    - debian/patches/CVE-2016-3115.patch: sanitise characters destined for
      xauth in session.c.
    - CVE-2016-3115

openssh (1:6.6p1-2ubuntu2.6) trusty; urgency=medium

  * debian/control, debian/rules: enable libaudit support. (LP: #1478087)

openssh (1:6.6p1-2ubuntu2.5) trusty-proposed; urgency=medium

  * Backport upstream reporting of max auth attempts, so that fail2bail
    and similar tools can learn the IP address of brute forcers.
    (LP: #1534340)
    - debian/patches/report-max-auth.patch

Date: 2016-05-05 13:41:18.342986+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
-------------- next part --------------
Sorry, changesfile not available.

More information about the Trusty-changes mailing list