BLSA-2016:0087 – [中等] openssh 安全警告及修复方法



  • BLSA-2016:0087 – [中等] openssh 安全警告及修复方法

    问题描述

    OpenSSH最近暴露出do_setup_env函数权限提升漏洞。OpenSSH 7.2p2之前版本,sshd/ session.c/ do_setup_env函数存在安全漏洞,启用了UseLogin功能且PAM配置为读取用户主目录内的.pam_environment文件后,本地用户通过触发/bin/login程序构造的环境,可提升其权限。为增加系统安全强度,建议所有用户都安装BCLinux提供的的升级包,升级包包含了修复这些漏洞的补丁文件。

    OpenSSH简介
    OpenSSH是SSH(Secure SHell)协议的免费开源实现。SSH协议族可以用来进行远程控制,或在计算机之间传送文件。而实现此功能的传统方式,如telnet(终端仿真协议)、rcp、ftp、 rlogin、rsh都是极为不安全的,并且会使用明文传送密码。OpenSSH提供了服务端后台程序和客户端工具,用来加密远程控件和文件传输过程中的数据,并由此来代替原来的类似服务。OpenSSH是使用SSH透过计算机网络加密通讯的实现。它是取代由SSH Communications Security所提供的商用版本的开放源代码方案。目前OpenSSH是OpenBSD的子计划。OpenSSH常常被误认以为与OpenSSL有关联,但实际上这两个计划的有不同的目的,不同的发展团队,名称相近只是因为两者有同样的软件发展目标──提供开放源代码的加密通讯软件。

    提示
    此次安全更新的软件包版本隶属于7.3发行版,鉴于当前BCLinux 7.3尚未发布,本次安全更新仅针对急需修复此安全漏洞的用户,其他用户可以等待BCLinux 7.3发布后,统一将系统升级至7.3版本。
    软件包在CR源中,需要启用CR源才能应用修复方案。CR源的目的是为了在下一个版本发布之前,提供短期的软件包更新过渡支持。

    影响版本

    • BigCloud Enterprise Linux 7
    • Red Hat Enterprise Linux 7
    • CentOS Linux 7

    详细介绍

    • CVE-2015-8325
      OpenSSH服务的守护进程sshd被发现在运行登录程序之前获取PAM环境设置,导致sshd/session.c/do_setup_env函数存在安全漏洞。启用了UseLogin功能且PAM配置为读取用户主目录内的.pam_environment文件后, 本地用户通过触发/bin/login程序构造的环境, 可提升其权限。

    解决方案

    目前,BCLinux的官方源已经提供openssh的更新软件包,受影响的BCLinux 7客户端用户需要升级到6.6.1p1-31.el7版本。
    1.增加CR源,配置文件内容如下:

    [root@BCLinux ~]# cat /etc/yum.repos.d/BCLinux-CR.repo 
    [cr] 
    name=BCLinux-$releasever - CR
    baseurl=http://mirrors.bclinux.org/bclinux/el7/cr/$basearch/
    gpgcheck=0 
    enabled=0
    

    2.检查YUM源设置,确保使用的是BCLinux官方YUM源

    [root@BCLinux ~]# ls -l /etc/yum.repos.d/
    total 16
    -rw-r--r--. 1 root root 1127 Jan  7  2016 BCLinux-Base.repo
    -rw-r--r--. 1 root root  794 Jan  7  2016 BCLinux-Kernel.repo
    -rw-r--r--. 1 root root 1153 Jan  7  2016 BCLinux-Source.repo
    -rw-r--r--. 1 root root  801 Jan  7  2016 BigCloud.repo
    

    3.安装更新

    [root@BCLinux ~]# yum --enablerepo=cr  update openssh
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    Resolving Dependencies
    --> Running transaction check
    ---> Package openssh.x86_64 0:6.6.1p1-22.el7 will be updated
    --> Processing Dependency: openssh = 6.6.1p1-22.el7 for package: openssh-clients-6.6.1p1-22.el7.x86_64
    --> Processing Dependency: openssh = 6.6.1p1-22.el7 for package: openssh-server-6.6.1p1-22.el7.x86_64
    ---> Package openssh.x86_64 0:6.6.1p1-31.el7 will be an update
    --> Running transaction check
    ---> Package openssh-clients.x86_64 0:6.6.1p1-22.el7 will be updated
    ---> Package openssh-clients.x86_64 0:6.6.1p1-31.el7 will be an update
    ---> Package openssh-server.x86_64 0:6.6.1p1-22.el7 will be updated
    ---> Package openssh-server.x86_64 0:6.6.1p1-31.el7 will be an update
    --> Processing Conflict: openssh-6.6.1p1-31.el7.x86_64 conflicts selinux-policy < 3.13.1-92
    --> Restarting Dependency Resolution with new changes.
    --> Running transaction check
    ---> Package selinux-policy.noarch 0:3.13.1-60.el7 will be updated
    --> Processing Dependency: selinux-policy = 3.13.1-60.el7 for package: selinux-policy-targeted-3.13.1-60.el7.noarch
    --> Processing Dependency: selinux-policy = 3.13.1-60.el7 for package: selinux-policy-targeted-3.13.1-60.el7.noarch
    ---> Package selinux-policy.noarch 0:3.13.1-102.el7 will be an update
    --> Processing Dependency: policycoreutils >= 2.5 for package: selinux-policy-3.13.1-102.el7.noarch
    --> Processing Dependency: libsemanage >= 2.5 for package: selinux-policy-3.13.1-102.el7.noarch
    --> Running transaction check
    ---> Package libsemanage.x86_64 0:2.1.10-18.el7 will be updated
    ---> Package libsemanage.x86_64 0:2.5-4.el7 will be an update
    --> Processing Dependency: libsepol.so.1(LIBSEPOL_1.1)(64bit) for package: libsemanage-2.5-4.el7.x86_64
    --> Processing Dependency: libsepol.so.1(LIBSEPOL_1.0)(64bit) for package: libsemanage-2.5-4.el7.x86_64
    ---> Package policycoreutils.x86_64 0:2.2.5-20.el7 will be updated
    ---> Package policycoreutils.x86_64 0:2.5-8.el7 will be an update
    --> Processing Dependency: libselinux-utils >= 2.5-6 for package: policycoreutils-2.5-8.el7.x86_64
    ---> Package selinux-policy-targeted.noarch 0:3.13.1-60.el7 will be updated
    ---> Package selinux-policy-targeted.noarch 0:3.13.1-102.el7 will be an update
    --> Running transaction check
    ---> Package libselinux-utils.x86_64 0:2.2.2-6.el7 will be updated
    ---> Package libselinux-utils.x86_64 0:2.5-6.el7 will be an update
    --> Processing Dependency: libselinux(x86-64) = 2.5-6.el7 for package: libselinux-utils-2.5-6.el7.x86_64
    ---> Package libsepol.x86_64 0:2.1.9-3.el7 will be updated
    ---> Package libsepol.x86_64 0:2.5-6.el7 will be an update
    --> Running transaction check
    ---> Package libselinux.x86_64 0:2.2.2-6.el7 will be updated
    --> Processing Dependency: libselinux = 2.2.2-6.el7 for package: libselinux-python-2.2.2-6.el7.x86_64
    ---> Package libselinux.x86_64 0:2.5-6.el7 will be an update
    --> Running transaction check
    ---> Package libselinux-python.x86_64 0:2.2.2-6.el7 will be updated
    ---> Package libselinux-python.x86_64 0:2.5-6.el7 will be an update
    --> Processing Conflict: libselinux-2.5-6.el7.x86_64 conflicts systemd < 219-20
    --> Restarting Dependency Resolution with new changes.
    --> Running transaction check
    ---> Package systemd.x86_64 0:219-19.el7 will be updated
    --> Processing Dependency: systemd = 219-19.el7 for package: systemd-sysv-219-19.el7.x86_64
    ---> Package systemd.x86_64 0:219-30.el7 will be an update
    --> Processing Dependency: systemd-libs = 219-30.el7 for package: systemd-219-30.el7.x86_64
    --> Running transaction check
    ---> Package systemd-libs.x86_64 0:219-19.el7 will be updated
    --> Processing Dependency: systemd-libs = 219-19.el7 for package: libgudev1-219-19.el7.x86_64
    ---> Package systemd-libs.x86_64 0:219-30.el7 will be an update
    ---> Package systemd-sysv.x86_64 0:219-19.el7 will be updated
    ---> Package systemd-sysv.x86_64 0:219-30.el7 will be an update
    --> Running transaction check
    ---> Package libgudev1.x86_64 0:219-19.el7 will be updated
    ---> Package libgudev1.x86_64 0:219-30.el7 will be an update
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    =================================================================================================================================================
     Package                                        Arch                          Version                               Repository              Size
    =================================================================================================================================================
    Updating:
     openssh                                        x86_64                        6.6.1p1-31.el7                        cr                      436 k
     selinux-policy                                 noarch                        3.13.1-102.el7                        cr                      410 k
     systemd                                        x86_64                        219-30.el7                            cr                      5.3 M
    Updating for dependencies:
     libgudev1                                      x86_64                        219-30.el7                            cr                       74 k
     libselinux                                     x86_64                        2.5-6.el7                             cr                      160 k
     libselinux-python                              x86_64                        2.5-6.el7                             cr                      232 k
     libselinux-utils                               x86_64                        2.5-6.el7                             cr                      149 k
     libsemanage                                    x86_64                        2.5-4.el7                             cr                      143 k
     libsepol                                       x86_64                        2.5-6.el7                             cr                      287 k
     openssh-clients                                x86_64                        6.6.1p1-31.el7                        cr                        641 k
     openssh-server                                 x86_64                        6.6.1p1-31.el7                        cr                        438 k
     policycoreutils                                x86_64                        2.5-8.el7                             cr                        840 k
     selinux-policy-targeted                        noarch                        3.13.1-102.el7                        cr                        6.4 M
     systemd-libs                                   x86_64                        219-30.el7                            cr                        366 k
     systemd-sysv                                   x86_64                        219-30.el7                            cr                         61 k
    
    Transaction Summary
    =================================================================================================================================================
    Upgrade  3 Packages (+12 Dependent packages)
    
    Total download size: 16 M
    Is this ok [y/d/N]: y
    

    4.复查

    [root@BCLinux ~]# rpm -qa | grep openssh
    openssh-6.6.1p1-31.el7.x86_64
    

    5.重启应用

    安装升级包以后,重启应用,更新生效。

    外部链接

    1.BCLinux安全更新