RHBA-2012:0237 - Bug Fix Advisory

Topic

Updated openssh packages that fix multiple bugs and add one enhancement are now
available for Red Hat Enterprise Linux 5.

Description

OpenSSH is OpenBSD's Secure Shell (SSH) protocol implementation. These packages
include the core files necessary for the OpenSSH client and server.

This update fixes the following bugs:

• Previously, the SSH daemon (sshd) attempted to bind port 22 to both Internet

Protocol version 6 (IPv6) and Internet Protocol version 4 (IPv4). As a
consequence, SSH targeted IPv4 and failed to bind after the second attempt. This
update uses the IPV6_V6ONLY flag to allow SSH to listen to both on IPv4 and
IPv6. (BZ#640857)

• Previously, SELinux denied /sbin/setfiles access to a leaked SSH tcp_socket

file descriptor when requested by the restorecon command. This update modifies
sshd to set the file descriptors flag FD_CLOEXEC on the socket file descriptor.
Now, sshd no longer leaks any descriptor. (BZ#642935)

• Previously, the pubkey_key_verify() function did not detect if it was running

in a Federal Information Processing Standards (FIPS) environment. As a
consequence, key-based authentication failed when the FIPS mode was enabled on a
system. With this update, the pubkey_key_verify() function has been modified to
respect FIPS. Now, authentication using an RSA key is successful when the FIPS
mode is enabled. (BZ#674747)

• By default, OpenSSH used the /dev/urandom file to reseed the OpenSSL random

number generator. Prior to this update, this random number generator was
reseeded only once when the SSH daemon service, the SSH client, or an SSH-aware
utility was started. To guarantee sufficient entropy, this update modifies the
underlying source code to reseed the OpenSSL random number generator
periodically. Additionally, the "SSH_USE_STRONG_RNG" environment variable has
been added to allow users to specify /dev/random as the random number generator.
(BZ#681291)

• Previously, the SELinux policy did not allow to execute the passwd command

from sshd directly. With this update, sshd resets the default policy behavior
before executing the passwd command. (BZ#689406)

• Previously, the lastlog command did not correctly report the last login log

when processing users with User IDs (UIDs) greater than 2147483647. This update
modifies the underlying code so that lastlog now works for all users.
(BZ#706315)

• Previously, SSH did not send or accept the LANGUAGE environment variable. This

update adds the SendEnv LANGUAGE option to the SSH configuration file and the
AcceptEnv option to the sshd configuration file. Now, the environment variable
LANGUAGE is send and received. (BZ#710229)

• Previously, running the mdoc option "groff -m" on OpenSSH manual pages caused

formatting errors. This update modifies the manual page formatting. Now, the
mdoc option "groff -m" runs as expected. (BZ#731925)

• Prior to this update, the ssh-copy-id script wrongly copied the identity.pub

key instead of the id_rsa.pub key. This update modifies the underlying code so
that ssh-copy-id now copies by default the id_rsa.pub key. (BZ#731930)

• Previously, SSH clients could, under certain circumstances, wait indefinitely

at atomicio() in ssh_exchange_identification() when the SSH server stopped
responding. This update uses the ConnectTimeout parameter to stop SSH clients
from waiting after timeout. (BZ#750725)

This update also adds the following enhancement:

• With this update the umask feature was added to the sftp subsystem to create a

secure file transfer environment using the sftp service. (BZ#720598)

All users of openssh are advised to upgrade to these updated packages, which fix
these bugs and add this enhancement.

Solution

Before applying this update, make sure all previously-released errata relevant
to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 640857 - ssh throws an error when using default listening due to ipv4 and ipv6
• BZ - 642935 - SELinux is preventing /sbin/setfiles access to a leaked tcp_socket file descriptor.
• BZ - 674747 - cannot login with rsa key on FIPS environment.
• BZ - 706315 - lastlog is not recorded with the big uid
• BZ - 731925 - openssh: formatting errors in manpages
• BZ - 731930 - ssh-copy-id should copy by default id_rsa.pub not identity.pub

CVEs

(none)

References

(none)