Bug 58865
Summary: | openssh 2.9p2 has multiple vulnerablities | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | George France <france> |
Component: | openssh | Assignee: | Tom Tromey <tromey> |
Status: | CLOSED NOTABUG | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.3 | CC: | patrickm |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | alpha | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2002-02-11 18:56:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
George France
2002-01-26 01:17:35 UTC
I've looked into this a bit. Our current tree has openssh-2.9p2-12, which has a patch for the UseLog exploit. This version will ship in the final candidate. I'm not certain that we support enabling Kerberos V here. I've asked and I'll report back when I have more information. By enabling Kerberos V support, do you mean that you enabled Kerberos for authentication at install-time (or later, using authconfig), or that you rebuilt the OpenSSH package with Kerberos V support (which it does not enable by default)? If you selected Kerberos at install-time, you are not affected by the bug in OpenSSH, and if you rebuilt the package to enable Kerberos support, I recommend starting with the Raw Hide version of the package (currently at ftp://ftp.redhat.com/pub/redhat/linux/rawhide/SRPMS/SRPMS/openssh-3.0.2p1-2.src.rpm) instead. The UseLogin vulnerability has addressed by a security erratum (https://www.redhat.com/support/errata/RHSA-2001-161.html), so I'm closing this report and marking it resolved by errata. I'm changing this to "Modified" per the project policy. I've looked into this some more. Nalin pointed me to the Security Focus article: http://www.securityfocus.com/archive/78/242256 This reads in part: The only affected OpenSSH implementations are those that have compiled into the program the Kerberos V compatibility code. As we do not compile in this code, I believe we are not vulnerable to this hole. Closing out. Current version for the alpha dist is: [root@localhost etc]# rpm -q openssh openssh-3.1p1-2 Bug closed (was on compaq's punch list) |