User: Password:
|
|
Subscribe / Log in / New account

OpenPKG alert OpenPKG-SA-2006.022 (openssh)

From:  OpenPKG <openpkg@openpkg.org>
To:  openpkg-announce@openpkg.org
Subject:  [OpenPKG-SA-2006.022] OpenPKG Security Advisory (openssh)
Date:  Sun, 1 Oct 2006 10:27:14 +0200

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security/ http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2006.022 01-Oct-2006 ________________________________________________________________________ Package: openssh Vulnerability: denial of service OpenPKG Specific: no OpenPKG Series: Affected Packages: Corrected Packages: CURRENT <= openssh-4.3p2-20060924 >= openssh-4.4p1-20060928 2-STABLE <= openssh-4.3p2-2.20060622 >= openssh-4.4p1-2.20060929 2-STABLE-20060622 <= openssh-4.3p2-2.20060622 >= openssh-4.4p1-2.20060929 2.5-RELEASE <= openssh-4.2p1-2.5.3 >= openssh-4.2p1-2.5.4 Description: According to a vendor security advisory [0], multiple vulnerabilities exist in the Secure Shell (SSH) implementation OpenSSH [1]: First, a pre-authentication denial of service was found by Tavis Ormandy that would cause sshd(8) to spin until the login grace time expired. The Common Vulnerabilities and Exposures (CVE) project assigned the ids CVE-2006-4924 [2] and CVE-2006-4925 [3] to the problem. Second, an unsafe signal handler, reported by Mark Dowd, was fixed. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. This vulnerability could theoretically lead to pre-authentication remote code execution if some authentication methods like GSSAPI are enabled, but the likelihood of successful exploitation appears remote. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2006-5051 [4] to the problem. ________________________________________________________________________ References: [0] http://www.openssh.com/txt/release-4.4 [1] http://www.openssh.com/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4925 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051 ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG <openpkg@openpkg.org> iD8DBQFFH3vSgHWT4GPEy58RAlDBAJ40g98LLlcoVTAdnczmE9BjorOUjQCfSD82 lZQ3bMOn8xTxAPyL2PrWK7w= =GNXY -----END PGP SIGNATURE----- ______________________________________________________________________ The OpenPKG Project www.openpkg.org Project Announcement List openpkg-announce@openpkg.org


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds