安全公告详情

NS-SA-2019-0094

2019-07-17 14:59:30

简介

important: polkit/openssh-latest security update

严重级别

important

主题

An update for polkit/openssh-latest is now available for NewStart CGSL MAIN 4.06.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

polkit: PolicyKit is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to speak to privileged processes.
openssh-latest: SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's version of the last free version of SSH, bringing it up to date in terms of security and features. This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both.


Security Fix(es):
polkit: A vulnerability was found in polkit. When authentication is performed by a non-root user to perform an administrative task, the authentication is temporarily cached in such a way that a local attacker could impersonate the authorized process, thus gaining access to elevated privileges.(CVE-2019-6133)
polkit: bugfix
openssh-latest: In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.(CVE-2018-20685)
openssh-latest: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 4.06.F1.

影响组件

  • polkit
  • openssh-latest

影响产品

  • CGSL MAIN 4.06

更新包

{"fix":[{"product":"CGSL MAIN 4.06","pkgs":[{"binary":["polkit-0.96-11.el6_10.1.x86_64.rpm","polkit-debuginfo-0.96-11.el6_10.1.x86_64.rpm","polkit-desktop-policy-0.96-11.el6_10.1.noarch.rpm","polkit-devel-0.96-11.el6_10.1.x86_64.rpm","polkit-docs-0.96-11.el6_10.1.x86_64.rpm"],"source":"polkit-0.96-11.el6_10.1.src.rpm"},{"binary":["openssh-latest-8.0p1-1.el6.cgslv4_6.0.4.ge38e9b4.x86_64.rpm","openssh-latest-askpass-8.0p1-1.el6.cgslv4_6.0.4.ge38e9b4.x86_64.rpm","openssh-latest-cavs-8.0p1-1.el6.cgslv4_6.0.4.ge38e9b4.x86_64.rpm","openssh-latest-clients-8.0p1-1.el6.cgslv4_6.0.4.ge38e9b4.x86_64.rpm","openssh-latest-debuginfo-8.0p1-1.el6.cgslv4_6.0.4.ge38e9b4.x86_64.rpm","openssh-latest-keycat-8.0p1-1.el6.cgslv4_6.0.4.ge38e9b4.x86_64.rpm","openssh-latest-ldap-8.0p1-1.el6.cgslv4_6.0.4.ge38e9b4.x86_64.rpm","openssh-latest-server-8.0p1-1.el6.cgslv4_6.0.4.ge38e9b4.x86_64.rpm"],"source":"openssh-latest-8.0p1-1.el6.cgslv4_6.0.4.ge38e9b4.src.rpm"}]}]}

CVE

参考