- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201801-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSH: Permission issue Date: January 07, 2018 Bugs: #633428 ID: 201801-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A flaw has been discovered in OpenSSH which could allow a remote attacker to create zero-length files. Background ========== OpenSSH is a complete SSH protocol implementation that includes SFTP client and server support. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/openssh < 7.5_p1-r3 >= 7.5_p1-r3 Description =========== The process_open function in sftp-server.c in OpenSSH did not properly prevent write operations in readonly mode. Impact ====== A remote attacker could cause the creation of zero-length files. Workaround ========== There is no known workaround at this time. Resolution ========== All OpenSSH users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openssh-7.5_p1-r3" References ========== [ 1 ] CVE-2017-15906 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15906 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201801-05 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License =======