Debian Security Advisory

DSA-2894-1 openssh -- security update

Date Reported:
05 Apr 2014
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 742513.
In Mitre's CVE dictionary: CVE-2014-2532, CVE-2014-2653.
More information:

Two vulnerabilities were discovered in OpenSSH, an implementation of the SSH protocol suite. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2014-2532

    Jann Horn discovered that OpenSSH incorrectly handled wildcards in AcceptEnv lines. A remote attacker could use this issue to trick OpenSSH into accepting any environment variable that contains the characters before the wildcard character.

  • CVE-2014-2653

    Matthew Vernon reported that if a SSH server offers a HostCertificate that the ssh client doesn't accept, then the client doesn't check the DNS for SSHFP records. As a consequence a malicious server can disable SSHFP-checking by presenting a certificate.

    Note that a host verification prompt is still displayed before connecting.

For the oldstable distribution (squeeze), these problems have been fixed in version 1:5.5p1-6+squeeze5.

For the stable distribution (wheezy), these problems have been fixed in version 1:6.0p1-4+deb7u1.

For the unstable distribution (sid), these problems have been fixed in version 1:6.6p1-1.

We recommend that you upgrade your openssh packages.