Amazon Linux 1 Security Advisory: ALAS-2014-319
Advisory Release Date: 2014-03-28 18:25 Pacific
Advisory Updated Date: 2014-09-18 00:48 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
Due to a problem with the configuration of kernels 3.10.34-37 and 3.10.34-38 and their interaction with the authentication modules stack, the sshd daemon which is part of the openssh package will no longer allow remote logins following a restart of the sshd service.
There are two permanant fixes for this issue, and we urge you to apply both.
(1) Update to openssh-server-6.2p2-7.40.
(2) Update to kernel-3.10.34-39 and reboot your instance.
To apply these fixes, run `yum update openssh kernel` and reboot your instance.
The new openssh package includes workarounds for the misconfigured kernels and the new kernel package addresses the miscofiguration issue from earlier builds.
If you are unable to log in to your instance due to this issue, you can recover your instances via the RebootInstance API call (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-reboot.html) (`ec2-reboot-instances i-XXXXXXXX` or `aws ec2 reboot-instances --instance-ids i-XXXXXXXX`) but the permanent fix will still be needed.
Any Amazon Linux AMI on which the running kernel is either 3.10.34-37 or 3.10.34-38 is impacted by this issue.
Affected Packages:
openssh
Issue Correction:
To apply these fixes, run yum update openssh kernel and reboot your instance.
i686:
openssh-clients-6.2p2-7.39.amzn1.i686
openssh-keycat-6.2p2-7.39.amzn1.i686
openssh-ldap-6.2p2-7.39.amzn1.i686
pam_ssh_agent_auth-0.9.3-5.7.39.amzn1.i686
openssh-server-6.2p2-7.39.amzn1.i686
openssh-debuginfo-6.2p2-7.39.amzn1.i686
openssh-6.2p2-7.39.amzn1.i686
src:
openssh-6.2p2-7.39.amzn1.src
x86_64:
openssh-ldap-6.2p2-7.39.amzn1.x86_64
openssh-clients-6.2p2-7.39.amzn1.x86_64
openssh-6.2p2-7.39.amzn1.x86_64
openssh-server-6.2p2-7.39.amzn1.x86_64
pam_ssh_agent_auth-0.9.3-5.7.39.amzn1.x86_64
openssh-debuginfo-6.2p2-7.39.amzn1.x86_64
openssh-keycat-6.2p2-7.39.amzn1.x86_64