Issued:
2012-02-20
Updated:
2012-02-20

RHBA-2012:0237 - openssh bug fix and enhancement update

Synopsis

openssh bug fix and enhancement update

Type/Severity

Bug Fix Advisory (none)

Topic

Updated openssh packages that fix multiple bugs and add one enhancement are now available for Red Hat Enterprise Linux 5.

Description

OpenSSH is OpenBSD's Secure Shell (SSH) protocol implementation. These packages include the core files necessary for the OpenSSH client and server.

This update fixes the following bugs:

  • Previously, the SSH daemon (sshd) attempted to bind port 22 to both Internet Protocol version 6 (IPv6) and Internet Protocol version 4 (IPv4). As a consequence, SSH targeted IPv4 and failed to bind after the second attempt. This update uses the IPV6_V6ONLY flag to allow SSH to listen to both on IPv4 and IPv6. (BZ#640857)

  • Previously, SELinux denied /sbin/setfiles access to a leaked SSH tcp_socket file descriptor when requested by the restorecon command. This update modifies sshd to set the file descriptors flag FD_CLOEXEC on the socket file descriptor. Now, sshd no longer leaks any descriptor. (BZ#642935)

  • Previously, the pubkey_key_verify() function did not detect if it was running in a Federal Information Processing Standards (FIPS) environment. As a consequence, key-based authentication failed when the FIPS mode was enabled on a system. With this update, the pubkey_key_verify() function has been modified to respect FIPS. Now, authentication using an RSA key is successful when the FIPS mode is enabled. (BZ#674747)

  • By default, OpenSSH used the /dev/urandom file to reseed the OpenSSL random number generator. Prior to this update, this random number generator was reseeded only once when the SSH daemon service, the SSH client, or an SSH-aware utility was started. To guarantee sufficient entropy, this update modifies the underlying source code to reseed the OpenSSL random number generator periodically. Additionally, the "SSH_USE_STRONG_RNG" environment variable has been added to allow users to specify /dev/random as the random number generator. (BZ#681291)

  • Previously, the SELinux policy did not allow to execute the passwd command from sshd directly. With this update, sshd resets the default policy behavior before executing the passwd command. (BZ#689406)

  • Previously, the lastlog command did not correctly report the last login log when processing users with User IDs (UIDs) greater than 2147483647. This update modifies the underlying code so that lastlog now works for all users. (BZ#706315)

  • Previously, SSH did not send or accept the LANGUAGE environment variable. This update adds the SendEnv LANGUAGE option to the SSH configuration file and the AcceptEnv option to the sshd configuration file. Now, the environment variable LANGUAGE is send and received. (BZ#710229)

  • Previously, running the mdoc option "groff -m" on OpenSSH manual pages caused formatting errors. This update modifies the manual page formatting. Now, the mdoc option "groff -m" runs as expected. (BZ#731925)

  • Prior to this update, the ssh-copy-id script wrongly copied the identity.pub key instead of the id_rsa.pub key. This update modifies the underlying code so that ssh-copy-id now copies by default the id_rsa.pub key. (BZ#731930)

  • Previously, SSH clients could, under certain circumstances, wait indefinitely at atomicio() in ssh_exchange_identification() when the SSH server stopped responding. This update uses the ConnectTimeout parameter to stop SSH clients from waiting after timeout. (BZ#750725)

This update also adds the following enhancement:

  • With this update the umask feature was added to the sftp subsystem to create a secure file transfer environment using the sftp service. (BZ#720598)

All users of openssh are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

Solution

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.https://access.redhat.com/kb/docs/DOC-11259

Affected Products

ProductVersionArch
Red Hat Enterprise Linux for Power, big endian5ppc
Red Hat Enterprise Linux for IBM z Systems5s390x
Red Hat Enterprise Linux Workstation5x86_64
Red Hat Enterprise Linux Workstation5i386
Red Hat Enterprise Linux Server5x86_64
Red Hat Enterprise Linux Server5ia64
Red Hat Enterprise Linux Server5i386
Red Hat Enterprise Linux Server from RHUI5x86_64
Red Hat Enterprise Linux Server from RHUI5i386
Red Hat Enterprise Linux Desktop5x86_64
Red Hat Enterprise Linux Desktop5i386

Updated Packages

  • openssh-4.3p2-82.el5.src.rpm
  • openssh-clients-4.3p2-82.el5.s390x.rpm
  • openssh-askpass-4.3p2-82.el5.ia64.rpm
  • openssh-clients-4.3p2-82.el5.ia64.rpm
  • openssh-clients-4.3p2-82.el5.ppc.rpm
  • openssh-askpass-4.3p2-82.el5.ppc.rpm
  • openssh-4.3p2-82.el5.s390x.rpm
  • openssh-clients-4.3p2-82.el5.x86_64.rpm
  • openssh-clients-4.3p2-82.el5.i386.rpm
  • openssh-askpass-4.3p2-82.el5.x86_64.rpm
  • openssh-server-4.3p2-82.el5.s390x.rpm
  • openssh-4.3p2-82.el5.ia64.rpm
  • openssh-server-4.3p2-82.el5.ia64.rpm
  • openssh-askpass-4.3p2-82.el5.s390x.rpm
  • openssh-askpass-4.3p2-82.el5.i386.rpm
  • openssh-4.3p2-82.el5.x86_64.rpm
  • openssh-server-4.3p2-82.el5.x86_64.rpm
  • openssh-4.3p2-82.el5.ppc.rpm
  • openssh-server-4.3p2-82.el5.i386.rpm
  • openssh-server-4.3p2-82.el5.ppc.rpm
  • openssh-4.3p2-82.el5.i386.rpm

Fixes

CVEs

(none)

References

(none)

Additional information