ALAS-2014-319


Amazon Linux AMI Security Advisory: ALAS-2014-319
Advisory Release Date: 2014-09-18 00:48 Pacific
Severity: Important
References:

Issue Overview:

Due to a problem with the configuration of kernels 3.10.34-37 and 3.10.34-38 and their interaction with the authentication modules stack, the sshd daemon which is part of the openssh package will no longer allow remote logins following a restart of the sshd service.

There are two permanant fixes for this issue, and we urge you to apply both.

(1) Update to openssh-server-6.2p2-7.40.
(2) Update to kernel-3.10.34-39 and reboot your instance.

To apply these fixes, run yum update openssh kernel and reboot your instance.

The new openssh package includes workarounds for the misconfigured kernels and the new kernel package addresses the miscofiguration issue from earlier builds.

If you are unable to log in to your instance due to this issue, you can recover your instances via the RebootInstances API call (ec2-reboot-instances i-XXXXXXXX or aws ec2 reboot-instances --instance-ids i-XXXXXXXX) but the permanent fix will still be needed.

Any Amazon Linux AMI on which the running kernel is either 3.10.34-37 or 3.10.34-38 is impacted by this issue.


Affected Packages:

openssh


Issue Correction:
To apply these fixes, run yum update openssh kernel and reboot your instance.

New Packages:
i686:
    openssh-clients-6.2p2-7.39.amzn1.i686
    openssh-keycat-6.2p2-7.39.amzn1.i686
    openssh-ldap-6.2p2-7.39.amzn1.i686
    pam_ssh_agent_auth-0.9.3-5.7.39.amzn1.i686
    openssh-server-6.2p2-7.39.amzn1.i686
    openssh-debuginfo-6.2p2-7.39.amzn1.i686
    openssh-6.2p2-7.39.amzn1.i686

src:
    openssh-6.2p2-7.39.amzn1.src

x86_64:
    openssh-ldap-6.2p2-7.39.amzn1.x86_64
    openssh-clients-6.2p2-7.39.amzn1.x86_64
    openssh-6.2p2-7.39.amzn1.x86_64
    openssh-server-6.2p2-7.39.amzn1.x86_64
    pam_ssh_agent_auth-0.9.3-5.7.39.amzn1.x86_64
    openssh-debuginfo-6.2p2-7.39.amzn1.x86_64
    openssh-keycat-6.2p2-7.39.amzn1.x86_64