Linux News Today: Canonical Patches Critical OpenSSH Vulnerabilities in All Supported Ubuntu OSes – Updated
The Ubuntu developers working for Canonical to patch the latest security flaws in various core components and applications of all supported Ubuntu Linux operating systems published today, January 14, 2016, a new security notice informing users about the availability of an update for the OpenSSH software.
The OpenBSD project issued earlier a press release informing everyone about a critical security vulnerability discovered recently in the OpenSSH versions 5.4 to 7.1, which could allow an attacker to steal sensitive data, including private user keys. The security issue has now been patched in OpenSSH 7.1p2, which is now available for download.
“It was discovered that the OpenSSH client experimental support for resuming connections contained multiple security issues. A malicious server could use this issue to leak client memory to the server, including private client user keys,” said the developers in today’s Ubuntu Security Notice USN-2869-1.
The security issue affects all the supported releases of the Ubuntu Linux operating system, as well as its derivatives, including Ubuntu 15.10 (Wily Werewolf), Ubuntu 15.04 (Vivid Vervet), Ubuntu 14.04 LTS (Trusty Tahr), and Ubuntu 12.04 LTS (Precise Pangolin). Canonical was quick to update the OpenSSH packages in all these OSes in the same day.
Therefore, if you’re running one of the above mentioned operating systems, or any other derivative based on them, you are urged to update the OpenSSH packages as soon as possible to openssh-client 6.9p1-2ubuntu0.1 in Ubuntu 15.10, openssh-client 6.7p1-5ubuntu1.4 in Ubuntu 15.04, openssh-client 6.6p1-2ubuntu2.4 in Ubuntu 14.04 LTS, and openssh-client 5.9p1-5ubuntu1.8 in Ubuntu 12.04 LTS.
Update: Canonical also released a few minutes ago, at 5:00 AM, Friday, January 15, 2016, the OpenSSH 7.1p2 update for the Ubuntu 16.04 LTS (Xenial Xerus) operating system, which is currently in development.