-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Colin Watson uploaded new packages for openssh which fixed the following security problems:
CVE-2014-2532 (DSA-2894-1) Jann Horn discovered that OpenSSH incorrectly handled wildcards in AcceptEnv lines. A remote attacker could use this issue to trick OpenSSH into accepting any environment variable that contains the characters before the wildcard character. https://security-tracker.debian.org/tracker/CVE-2014-2532 CVE-2014-2653 (DSA-2894-1) Matthew Vernon reported that if a SSH server offers a HostCertificate that the ssh client doesn't accept, then the client doesn't check the DNS for SSHFP records. As a consequence a malicious server can disable SSHFP-checking by presenting a certificate. Note that a host verification prompt is still displayed before connecting. https://security-tracker.debian.org/tracker/CVE-2014-2653 For the wheezy-backports distribution, these problems have been fixed in version 1:6.6p1-4~bpo70+1. For the oldstable distribution (squeeze), these problems have been fixed in version 1:5.5p1-6+squeeze5. For the stable distribution (wheezy), these problems have been fixed in version 1:6.0p1-4+deb7u1. For the testing (jessie) and unstable (sid) distributions, these problems have been fixed in version 1:6.6p1-1. - -- Colin Watson [[email protected]] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Colin Watson <[email protected]> -- Debian developer iQIVAwUBU2DNbDk1h9l9hlALAQjKlBAAlEGfgTEeivjw3ZSA6Q9XzqoV3I31TnNh X6vGgnz8LRv/JdmDgG/FFMGO/TTlcCHaN+K2lDd9Db7RCKm/UQAyaybVhir+ApIp R4EEWYxc8kG7jCulY9Que51g3f+QUOUWDKHY1/q/qZ3K63hVw28fME5lbaZXVSnt Z+SmDrRo/Gok12qr+Qo1g2W3MBbYxdLpOAJ1vKYfPx8UYY9+nR4rP/tVcd6/iT7D HUAVvBOLieMoshkkvt9yRJJAsjnAWIk+0lumjjUm+WP9+dv48AZK3zvBNkZEeElO Xk1hhvUTqKs+eX5wdrMCtoCC8trCKNCDPT/JO746JlIYKYy0YlE7Vg2olWCGPK/h QeQCTBTntcOsa3EsRw3QWGhUO0U6W5DQH6vp2FpguoZQUKSqUfMXC4fwgv1epAfC Dmv8cKNP831AfD8o23Dbt7RnPqinFQzdeNCSXeeWTumGbD8ZeTw2FJuAm5znogXK A/xtbUYu8AjxP7RHXVLxg770oys/stUk92uYGioSpRg2EKtGpIpaB7UEYd9W1MU4 ZMrANDLFIQ+MQWFcIU9nZECo10m4RCUQZxbMd1ySjKT684x2bzhYvp0db8v/4uAr P1zO/gU5qCEujD7wVLkaJFDvRTJVdzMDR21FuT7RpzZ35aDBQrmi/DuwvBCJMhhV Ko+KEPN8T8k= =xPF5 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
