Bug 162681 (CVE-2005-2666)
| Summary: | CVE-2005-2666 openssh vulnerable to known_hosts address harvesting | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Richard Bullington-McGuire <rbulling> | ||||||
| Component: | vulnerability | Assignee: | Tomas Mraz <tmraz> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||||
| Severity: | low | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | unspecified | CC: | security-response-team, tao | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| URL: | http://nms.csail.mit.edu/projects/ssh/ | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | RHSA-2007-0257 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2007-05-01 17:28:52 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Richard Bullington-McGuire
2005-07-07 16:31:31 UTC
Created attachment 116539 [details]
Patch for openssh-3.9p1
This patch is taken from openssh-4.0p1 and applies to openssh-3.9p1.
Created attachment 116540 [details]
Patch for openssh-3.6.1p2
This patch applies to openssh-3.6.1p2.
I'm moving this bug to affect RHEL4, and noting that this feature could be added to RHEL3 and RHEL2.1 if we decide to support it. Considering this a security issue is a far stretch as you first need an openssh worm in order for it to be a problem. Additionally a worm could search the users shell history and log files for a list of hosts which could potentially be vulnerable, making this much less effective than it would appear from the description. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. QE ack for 4.5. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0257.html |