Bug 128928

Summary: VUL-0: openssh: GSSAPI info disclosure
Product: [openSUSE] SUSE Linux 10.1 Reporter: Thomas Biege <thomas>
Component: OtherAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: ast, kukuk, patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVE-2005-2798: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2005-10-18 06:43:36 UTC 
Hello Petr,
are we affected by this?

[USN-208-1] SSH server vulnerability
  ===========================================================
Ubuntu Security Notice USN-208-1           October 17, 2005
openssh vulnerability
CAN-2005-2798
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

openssh-server

The problem can be corrected by upgrading the affected package to
version 1:3.8.1p1-11ubuntu3.2 (for Ubuntu 4.10), or 1:3.9p1-1ubuntu2.1
(for Ubuntu 5.04).  In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

An information disclosure vulnerability has been found in the SSH
server. When the GSSAPIAuthentication option was enabled, the SSH
server could send GSSAPI credentials even to users who attempted to
log in with a method other than GSSAPI. This could inadvertently
expose these credentials to an untrusted user.

Please note that this does not affect the default configuration of the
SSH server.


Updated packages for Ubuntu 4.10:

  Source archives:

   
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.2.diff.gz
      Size/MD5:   145915 b3fde6ad57fa71c6fedd0d857a41b98d
   
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.2.dsc
      Size/MD5:      878 24b7a0d1b0bc1b12b4bfcdbe6523175f
   
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1.orig.tar.gz
      Size/MD5:   795948 9ce6f2fa5b2931ce2c4c25f3af9ad50d
Comment 1 Petr Ostadal 2005-10-20 11:41:54 UTC 
Our default runtime configuration does not affected.

This and other problems were discussed in bug #114964 and in comment 8 Marcus said : "We are also not planning to release security updates for the issues inside currently."

But if you change the decision, I have small patch for this gssapi problem...
Comment 2 Petr Ostadal 2005-11-01 15:58:54 UTC 
ping
Comment 3 Thomas Biege 2005-11-04 07:21:39 UTC 
can it switched on by the admin?
Comment 4 Thomas Biege 2005-11-14 11:06:51 UTC 
if it can be switched on by the admin I tend to release an update for it
Comment 5 Petr Ostadal 2005-11-15 12:18:23 UTC 
Sorry for too late response, I was ill.
Yes admin can enable it by set GSSAPIAuthentication to yes in /etc/ssh/sshd_config.
Comment 6 Thomas Biege 2005-11-15 12:22:37 UTC 
Hope you are fine again! :)

We should release updates for this bug. SSH is a sensible application and leaking credentials isn't good.
Comment 7 Petr Ostadal 2005-11-21 11:31:34 UTC 
I have prepared patch for all distros, but I have problem how I have to solve SLES9 distribution, because there is version update of openssh for SLES9-SP3 and it can collide with this security update. How can I solve? (prepare same update for SLES9 and SLES9-SP3?)
Comment 8 Marcus Meissner 2005-11-21 11:54:13 UTC 
i would suggest fix for the SP3 version only, it will obsolete the previous
version anyway.
Comment 9 Thorsten Kukuk 2005-11-21 16:12:43 UTC 
Answer given by Marcus already ...
Comment 10 Petr Ostadal 2005-11-21 21:24:12 UTC 
Submited for all distros.
Thorsten, where can I get the older patchinfo of openssh, which I submited with last changes for SLES9-SP3? I'd like update this patchinfo.
Comment 11 Thorsten Kukuk 2005-11-23 10:57:23 UTC 
This patchinfos are already checked in. If you wish to modify them, you have
to ask hmuelle if this is still possible and how, I don't know.
Comment 12 Petr Ostadal 2005-11-23 11:31:05 UTC 
Harald, could you help me?
Comment 13 Harald Mueller-Ney 2005-11-23 12:29:01 UTC 
Just submit your fixes as usual for an SP and sent the description extension by eMail to "maint-coord@suse.de" stating the MD5SUM, SWAMPID and SUBSWAMPID

If we need more changes to the patchinfo, also sent an eMail telling the needed changes.
Comment 14 Petr Ostadal 2005-11-23 12:36:11 UTC 
Ok, and where I can get MD5SUM and SUBSWAMPID (I can't find it in swamp.suse.de, maybe I have not permission for SP3 SWAMPID).
Comment 15 Petr Ostadal 2005-11-23 17:18:02 UTC 
Thnx Zuzka (zpetrova@), which found the right record for me (b6dd9cd1ee5f739fa4bb7a65575aa18a, 2229, 2842).
Comment 16 Anja Stock 2006-01-11 15:53:51 UTC 
what is the status here?
Comment 17 Petr Ostadal 2006-01-11 20:02:37 UTC 
You have to ask security team.
Comment 18 Marcus Meissner 2006-01-20 14:54:36 UTC 
Thomas? its needinfo assigned to you?
Comment 19 Thomas Biege 2006-01-24 08:04:59 UTC 
Dunno what info is left. As far as I can read from the previous entries packages are submitted, sles9 version problem ist solved, patchinfos are modified.
Comment 20 Anja Stock 2006-01-24 12:58:23 UTC 
status is ASSIGNED
Comment 21 Ruediger Oertel 2006-01-26 13:32:59 UTC 
packages are submitted, but there is no patchinfo file,
what's the status here ?
Comment 22 Thomas Biege 2006-01-26 13:35:30 UTC 
see comment #12 an #13.
Comment 23 Thomas Biege 2006-01-26 13:36:09 UTC 
I don't know what happens after it or if it happen at all.
Comment 24 Marcus Meissner 2006-01-26 13:44:50 UTC 
we need to supply new patchinfos for this bugfix (the comments talked about the SP3 patchinfo for the version update).


So, we need patchinfos for all boxes (9.1-10.0), SLES8/SLEC. 

SLES 9 patchinfos are _not_ necessary, since we released the fix with SP3 already.
Comment 25 Thomas Biege 2006-01-26 16:15:50 UTC 
Maintenance-Tracker-3418
Comment 26 Thomas Biege 2006-01-26 16:30:35 UTC 
/work/src/done/PATCHINFO/openssh.patch.maintained
/work/src/done/PATCHINFO/openssh.patch.box
Comment 27 Thomas Biege 2006-02-01 16:03:31 UTC 
packages approved
Comment 28 Thomas Biege 2009-10-13 21:42:04 UTC 
CVE-2005-2798: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)