Linux News Today: Canonical Patches Multiple OpenSSH Vulnerabilities in Supported Ubuntu OSes
Canonical released an update for the OpenSSH packages in the Ubuntu 15.10 (Wily Werewolf), Ubuntu 14.04 LTS (Trusty Tahr), and Ubuntu 12.04 LTS (Precise Pangolin) operating systems.
The update appears to be an important one that patches a total of four security flaws discovered by various developers in the OpenSSH secure shell (SSH) implementation that Ubuntu Linux users can use to access remote machines securely.
The first security issue (CVE-2015-8325) was discovered by Shayan Sadigh in the way OpenSSH handles environment files, which failed to work correctly when the UseLogin feature was enabled, allowing a local attacker to gain root access.
The second vulnerability (CVE-2016-1907), affecting only Ubuntu 15.10 users, was discovered by Ben Hawkes in the way OpenSSH handles the network traffic, which could have allowed a remote attacker to crash the OpenSSH server and cause a denial of service.
The third security flaw (CVE-2016-1908) was discovered by Thomas Hoger in the way OpenSSH handles untrusted X11 forwarding data, which failed to work correctly when the SECURITY extension was disabled. Because of this, an untrusted connection could be easily passed as a trusted one.
Lastly, the fourth vulnerability (CVE-2016-3115) was also discovered in the way OpenSSH handles untrusted X11 forwarding data, which could have allowed a remote authenticated attacker to bypass certain intended command restrictions.
Users are urged to update as soon as possible
Canonical urges users of the Ubuntu 15.10 (Wily Werewolf), Ubuntu 14.04 LTS (Trusty Tahr), and Ubuntu 12.04 LTS (Precise Pangolin) operating systems to update their OpenSSH packages as soon as possible.
The new versions, 6.9p1-2ubuntu0.2 for Ubuntu 15.10, 6.6p1-2ubuntu2.7 for Ubuntu 14.04 LTS, and 5.9p1-5ubuntu1.9 for Ubuntu 12.04 LTS, are live on the main software repositories. To update, run the commands below or use the built-in Software Updater tool.
sudo apt-get update
sudo apt-get dist-upgrade