Posted On: Mar 29, 2014

Amazon Linux AMI Security Advisory: ALAS-2014-319
Advisory Release Date: Mar 28, 2014 @ 6:30 PM
Severity: important

Issue Overview:

Due to a problem with the configuration of kernels 3.10.34-37 and 3.10.34-38 and their interaction with the authentication modules stack, the sshd daemon which is part of the openssh package will no longer allow remote logins following a restart of the sshd service.

There are two permanant fixes for this issue, and we urge you to apply both.

  • Update to openssh-server-6.2p2-7.40.
  • Update to kernel-3.10.34-39 and reboot your instance.

To apply these fixes, run yum update openssh kernel and reboot your instance.
The new openssh package includes workarounds for the misconfigured kernels and the new kernel package addresses the misconfiguration issue from earlier builds.

If you are unable to log in to your instance due to this issue, you can recover your instances via the RebootInstances API call (ec2-reboot-instances i-XXXXXXXX or aws ec2 reboot-instances --instance-ids i-XXXXXXXX) but the permanent fix will still be needed.


Affected Versions:

Any Amazon Linux AMI on which the running kernel is either 3.10.34-37 or 3.10.34-38.


Affected Packages:

openssh


Issue Correction:

To apply these fixes, run yum update openssh kernel and reboot your instance.


New Packages:

i686:

    openssh-clients-6.2p2-7.40.amzn1.i686

    openssh-keycat-6.2p2-7.40.amzn1.i686

    openssh-ldap-6.2p2-7.40.amzn1.i686

    pam_ssh_agent_auth-0.9.3-5.7.40.amzn1.i686

    openssh-server-6.2p2-7.40.amzn1.i686

    openssh-debuginfo-6.2p2-7.40.amzn1.i686

    openssh-6.2p2-7.40.amzn1.i686
x86_64:

    openssh-ldap-6.2p2-7.40.amzn1.x86_64

    openssh-clients-6.2p2-7.40.amzn1.x86_64

    openssh-6.2p2-7.40.amzn1.x86_64

    openssh-server-6.2p2-7.40.amzn1.x86_64

    pam_ssh_agent_auth-0.9.3-5.7.40.amzn1.x86_64

    openssh-debuginfo-6.2p2-7.40.amzn1.x86_64

    openssh-keycat-6.2p2-7.40.amzn1.x86_64