Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2011-0539 OpenSSH: legacy certificate generation information leak [fedora-15]|
|Product:||[Fedora] Fedora||Reporter:||Tomas Hoger <thoger>|
|Component:||openssh||Assignee:||Petr Lautrbach <plautrba>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||15||CC:||jj3666, mattias.ellert, mgrepl, rvokal, tmraz|
|Target Milestone:||---||Keywords:||Security, SecurityTracking|
|Fixed In Version:||Doc Type:||Release Note|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-02-28 09:05:37 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Tomas Hoger 2011-07-01 03:01:30 EDT
fedora-15 tracking bug for openssh: see blocks bug list for full details of the security issue(s). This bug is never intended to be made public, please put any public notes in the 'blocks' bugs. [bug automatically created by: add-tracking-bugs]
Comment 1 jj3666 2011-11-28 21:38:19 EST
The blocks bug is closed without listing fedora. Security scanners are now listing 5.6 as a vulnerability due to due to this problem. Will there be an update to 5.8 in F15, or should I leave the port closed until a scheduled upgrade can be done?
Comment 2 Tomas Mraz 2011-11-29 02:26:42 EST
Do you use the legacy *-firstname.lastname@example.org certificates? If not then you're not vulnerable. This is extremely low impact vulnerability without any known attack. It does not make much sense to update to 5.8 just for this.
Comment 3 jj3666 2011-11-30 00:45:28 EST
I do not use legacy certs, however I use fedora for either a VPN or firewall because the tools are much easier to configure their particular setup. My clients are required to have a 3rd party vulnerability scan to be in compliance for customer data protection. They are flagging it level 5 from the CVE, which is a failing status. I have disabled sshd for now, I was just seeing if it could be packaged, so as not needing scheduled downtime. Thanks for the reply, I'll just schedule the upgrade, as it is just a few clients, since those running RHEL5 are ok.
Comment 4 Fedora Admin XMLRPC Client 2011-11-30 07:26:22 EST
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.