Bugzilla – Bug 128928
VUL-0: openssh: GSSAPI info disclosure
Last modified: 2009-10-13 21:42:04 UTC
Hello Petr, are we affected by this? [USN-208-1] SSH server vulnerability =========================================================== Ubuntu Security Notice USN-208-1 October 17, 2005 openssh vulnerability CAN-2005-2798 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: openssh-server The problem can be corrected by upgrading the affected package to version 1:3.8.1p1-11ubuntu3.2 (for Ubuntu 4.10), or 1:3.9p1-1ubuntu2.1 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: An information disclosure vulnerability has been found in the SSH server. When the GSSAPIAuthentication option was enabled, the SSH server could send GSSAPI credentials even to users who attempted to log in with a method other than GSSAPI. This could inadvertently expose these credentials to an untrusted user. Please note that this does not affect the default configuration of the SSH server. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.2.diff.gz Size/MD5: 145915 b3fde6ad57fa71c6fedd0d857a41b98d http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.2.dsc Size/MD5: 878 24b7a0d1b0bc1b12b4bfcdbe6523175f http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1.orig.tar.gz Size/MD5: 795948 9ce6f2fa5b2931ce2c4c25f3af9ad50d
Our default runtime configuration does not affected. This and other problems were discussed in bug #114964 and in comment 8 Marcus said : "We are also not planning to release security updates for the issues inside currently." But if you change the decision, I have small patch for this gssapi problem...
ping
can it switched on by the admin?
if it can be switched on by the admin I tend to release an update for it
Sorry for too late response, I was ill. Yes admin can enable it by set GSSAPIAuthentication to yes in /etc/ssh/sshd_config.
Hope you are fine again! :) We should release updates for this bug. SSH is a sensible application and leaking credentials isn't good.
I have prepared patch for all distros, but I have problem how I have to solve SLES9 distribution, because there is version update of openssh for SLES9-SP3 and it can collide with this security update. How can I solve? (prepare same update for SLES9 and SLES9-SP3?)
i would suggest fix for the SP3 version only, it will obsolete the previous version anyway.
Answer given by Marcus already ...
Submited for all distros. Thorsten, where can I get the older patchinfo of openssh, which I submited with last changes for SLES9-SP3? I'd like update this patchinfo.
This patchinfos are already checked in. If you wish to modify them, you have to ask hmuelle if this is still possible and how, I don't know.
Harald, could you help me?
Just submit your fixes as usual for an SP and sent the description extension by eMail to "maint-coord@suse.de" stating the MD5SUM, SWAMPID and SUBSWAMPID If we need more changes to the patchinfo, also sent an eMail telling the needed changes.
Ok, and where I can get MD5SUM and SUBSWAMPID (I can't find it in swamp.suse.de, maybe I have not permission for SP3 SWAMPID).
Thnx Zuzka (zpetrova@), which found the right record for me (b6dd9cd1ee5f739fa4bb7a65575aa18a, 2229, 2842).
what is the status here?
You have to ask security team.
Thomas? its needinfo assigned to you?
Dunno what info is left. As far as I can read from the previous entries packages are submitted, sles9 version problem ist solved, patchinfos are modified.
status is ASSIGNED
packages are submitted, but there is no patchinfo file, what's the status here ?
see comment #12 an #13.
I don't know what happens after it or if it happen at all.
we need to supply new patchinfos for this bugfix (the comments talked about the SP3 patchinfo for the version update). So, we need patchinfos for all boxes (9.1-10.0), SLES8/SLEC. SLES 9 patchinfos are _not_ necessary, since we released the fix with SP3 already.
Maintenance-Tracker-3418
/work/src/done/PATCHINFO/openssh.patch.maintained /work/src/done/PATCHINFO/openssh.patch.box
packages approved
CVE-2005-2798: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)