[security-announce] Security Update: OpenSSH: CVE-2016-6210

Sona Sarmadi sona.sarmadi at enea.com
Mon Oct 17 14:57:47 CEST 2016


		Enea Linux Security Advisory

====================================================================
Product/package: Enea Linux 6.0: (OpenSSH 7.1 P2)
Severity: Medium
Architecture: all
CVE Name: CVE-2016-6210
====================================================================
Eddie Harari reported that the OpenSSH SSH daemon allows user
enumeration through timing differences when trying to authenticate
users. This security update mitigates timing differences in password
authentication.

Description
===========
When SSHD tries to authenticate a non-existing user, it will pick up a
fake password structure hard-coded in the SSHD source code. An attacker
can measure timing information to determine if a user exists when
verifying a password.

References:
===========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210
https://www.openssh.com/txt/release-7.3
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6210

Correction for Enea Linux
=========================
http://git.enea.com/cgit/linux/poky.git/patch/?id=414aad04b631baddfc8e3dd02c305da0ddf9b883

How to get the latest patches
=============================
- If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-6.0
$ repo sync

- If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).

Use repo tool to download the source for Enea Linux, follow the steps below:
1. Make sure that the repo tool is installed. If not, follow the
instructions below:

$ curl https://storage.googleapis.com/git-repo-downloads/repo >
~/bin/repo
$ chmod a+x ~/bin/repo

The instruction assumes that ~/bin exists and is included in the PATH
variable.

2.Use the repo tool to download the source:
$ mkdir Enea-Linux-6.0
$ cd Enea-Linux-6.0
$ repo init \
-u git://git.enea.com/linux/el_manifests-standard.git \
-b krogoth\
-m <manifest file>
$ repo sync

The parameter <manifest file> depends on the target:
P2041RDB: p2041rdb/default.xml
LS1021a-IoT: ls1021aiot/default.xml
QEMUARM: qemuarm/default.xml
QEMUPCC: qemuppc/default.xml
QEMUX86: qemux86/default.xml

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

For custom packages/releases please use the official Support Channel:
http://www.enea.com/solutions/support.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20161017/19e2658a/attachment.sig>


More information about the security-announce mailing list