Index: [Article Count Order] [Thread]

Date:  Fri, 19 Oct 2007 03:58:45 +0200
From:  Michael Stauber <bq (at mark)>
Subject:  [coba-e:10909] Re: ssh vulnerability question
To:  coba-e (at mark)
Message-Id:  < (at mark)>
In-Reply-To:  <091801c811b1$58c50690$6700a8c0@OfficeKen>
References:  <bb9e5a970710161411o6659e0atd46dda2d838bad62 (at mark)> <bb9e5a970710171636g4a4e4564i72569ed2d8fe87db (at mark)> <091801c811b1$58c50690$6700a8c0 (at mark) OfficeKen>
X-Mail-Count: 10909

Hi Ken,

> is showing a vulnerability for SSH where
> GssapiAuthentication is set to yes
> Solution : Upgrade to OpenSSH 4.4 or later.
> Risk factor :  High / CVSS Base Score : 7.6
> (CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C)
> CVE : CVE-2006-5051, CVE-2006-5052
> BID : 20241, 20245
> Other references : OSVDB:29264
> Is this actually a vulnerability?

On a fully patched BlueQuartz you'll find openssh-3.9p1-8.RHEL4.20 installed. 

The SRPM for it is available here:

The changelogs show what has been patched and usually also list the revevant 
CVE numbers:

* Fri Nov 10 2006 Tomas Mraz <tmraz (at mark)> 3.9p1-8.RHEL4.20
- CVE-2006-5794 properly detect failed key verify in monitor (#214640)

* Tue Oct 10 2006 Tomas Mraz <tmraz (at mark)> 3.9p1-8.RHEL4.19
- add support for hashed known_hosts file (#162681)

* Thu Oct  5 2006 Tomas Mraz <tmraz (at mark)> 3.9p1-8.RHEL4.18
- fixed client behaviour when remote program generates large output (#184357)
- don't report duplicate syslog messages, use correct local time (#203671)
- don't set IPV6_V6ONLY sock opt when listening on wildcard addr (#201594)
- fix audit patch to include loginrec.h in auth.c (#193710)

* Thu Sep 28 2006 Tomas Mraz <tmraz (at mark)> 3.9p1-8.RHEL4.17
- CVE-2006-5051 don't call cleanups from signal handler (#208347)

CVE-2006-5051 and CVE-2006-5052 deal both with GSSAPI issues, where 
CVE-2006-5051 may lead to  a crash and CVE-2006-5052 allows to find out if a 
user is a valid user or not by simply timing how long OpenSSH takes to 

When you look the CVE numbers up at ...

... you'll see a list of affected vendors and links to their own related 

When you check the RedHat related links for CVE-2006-5051 and CVE-2006-5052 
they both lead to the same page:

So both issues appear to be patched in openssh-3.9p1-8.RHEL4.20. 

With best regards,

Michael Stauber