content:en_us:announcements_cve_cve-2014-2532

CVE 2014-2532

/** * This is the notes section. CVE documents should ONLY be created by employees of ClearCenter with the authority to make statements on behalf of the company. If you have content that would be useful to the statement, please contact ClearCenter. */

'sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.'

ClearCenter response

This issue has been resolved in patches applied to ClearOS 6.x. Ensure that you are up to date by running the following from command line:

yum update

If you are having trouble updating your system, please contact support.

Short response

This issue has been resolved in backported fixes to ClearOS 6.x. This issue will not be fixed in ClearOS 5. The status of whether this affect ClearOS 7.x is unknown at this time.

Long response

This issue is fixed in the current version of ClearOS but may show up as a false positive for systems which scan version numbers. ClearOS backports fixes into prior version numbers in order to provide longevity and interoperability in its software. If the system is up to date, this backport fix has been applied in the following versions:

  • openssh-5.3p1-104.el6.x86_64.rpm
  • openssh-clients-5.3p1-104.el6.x86_64.rpm
  • openssh-debuginfo-5.3p1-104.el6.i686.rpm
  • openssh-debuginfo-5.3p1-104.el6.x86_64.rpm
  • openssh-ldap-5.3p1-104.el6.x86_64.rpm
  • openssh-server-5.3p1-104.el6.x86_64.rpm
  • pam_ssh_agent_auth-0.9.3-104.el6.i686.rpm
  • pam_ssh_agent_auth-0.9.3-104.el6.x86_64.rpm

To confirm your running version to ensure that it is a later version run the following from command line:

rpm -qi openssh

This will tell you the result of the first package affected and fixed in ClearOS. You can apply the methodology to the other packages. For example:

rpm -qi openssh-server

Resolution

Run the following from command line:

yum update

Once the system is up to date, answer to those reporting this issue that the fixes have been backported into the existing version number.

content/en_us/announcements_cve_cve-2014-2532.txt · Last modified: 2016/09/08 21:32 by dloper

Page Tools