Index: [Article Count Order] [Thread]

Date:  Fri, 19 Oct 2007 11:30:04 -0700
From:  "Ken Marcus - Precision Web Hosting, Inc." <kenmarcus (at mark) precisionweb.net>
Subject:  [coba-e:10910] Re: ssh vulnerability question
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <0e1f01c8127e$11d91dc0$6700a8c0@OfficeKen>
References:  <bb9e5a970710161411o6659e0atd46dda2d838bad62 (at mark) mail.gmail.com> <bb9e5a970710171636g4a4e4564i72569ed2d8fe87db (at mark) mail.gmail.com> <091801c811b1$58c50690$6700a8c0 (at mark) OfficeKen> <200710190358.45769.bq (at mark) solarspeed.net>
X-Mail-Count: 10910


----- Original Message ----- 
From: "Michael Stauber" <bq (at mark) solarspeed.net>
To: <coba-e (at mark) bluequartz.org>
Sent: Thursday, October 18, 2007 6:58 PM
Subject: [coba-e:10909] Re: ssh vulnerability question


> Hi Ken,
>
>> Scanalert.com is showing a vulnerability for SSH where
>> GssapiAuthentication is set to yes
>>
>> http://www.openssh.com/txt/release-4.4
>> Solution : Upgrade to OpenSSH 4.4 or later.
>> Risk factor :  High / CVSS Base Score : 7.6
>> (CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C)
>> CVE : CVE-2006-5051, CVE-2006-5052
>> BID : 20241, 20245
>> Other references : OSVDB:29264
>>
>> Is this actually a vulnerability?
>
> On a fully patched BlueQuartz you'll find openssh-3.9p1-8.RHEL4.20 
> installed.
>
> The SRPM for it is available here:
> http://mirror.centos.org/centos/4/os/SRPMS/openssh-3.9p1-8.RHEL4.20.src.rpm
>
> The changelogs show what has been patched and usually also list the 
> revevant
> CVE numbers:
>
> --------------------------------------------------------------------------------------------------------------
> %changelog
> * Fri Nov 10 2006 Tomas Mraz <tmraz (at mark) redhat.com> 3.9p1-8.RHEL4.20
> - CVE-2006-5794 properly detect failed key verify in monitor (#214640)
>
> * Tue Oct 10 2006 Tomas Mraz <tmraz (at mark) redhat.com> 3.9p1-8.RHEL4.19
> - add support for hashed known_hosts file (#162681)
>
> * Thu Oct  5 2006 Tomas Mraz <tmraz (at mark) redhat.com> 3.9p1-8.RHEL4.18
> - fixed client behaviour when remote program generates large output 
> (#184357)
> - don't report duplicate syslog messages, use correct local time (#203671)
> - don't set IPV6_V6ONLY sock opt when listening on wildcard addr (#201594)
> - fix audit patch to include loginrec.h in auth.c (#193710)
>
> * Thu Sep 28 2006 Tomas Mraz <tmraz (at mark) redhat.com> 3.9p1-8.RHEL4.17
> - CVE-2006-5051 don't call cleanups from signal handler (#208347)
> [snip]
> --------------------------------------------------------------------------------------------------------------
>
> CVE-2006-5051 and CVE-2006-5052 deal both with GSSAPI issues, where
> CVE-2006-5051 may lead to  a crash and CVE-2006-5052 allows to find out if 
> a
> user is a valid user or not by simply timing how long OpenSSH takes to
> authenticate.
>
> When you look the CVE numbers up at ...
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5052
>
> ... you'll see a list of affected vendors and links to their own related
> publications.
>
> When you check the RedHat related links for CVE-2006-5051 and 
> CVE-2006-5052
> they both lead to the same page:
>
> http://rhn.redhat.com/errata/RHSA-2006-0697.html
>
> So both issues appear to be patched in openssh-3.9p1-8.RHEL4.20.
>
> -- 
> With best regards,
>
> Michael Stauber
> http://www.solarspeed.net


Thanks again Michael

When I run
yum list | grep  ssh
I see that I was OK    (except on that one old server that I had forgotten 
about).



----
Ken Marcus
Ecommerce Web Hosting by
Precision Web Hosting, Inc.
http://www.precisionweb.net