Bug 718133

Summary: CVE-2011-0539 OpenSSH: legacy certificate generation information leak [fedora-15]
Product: [Fedora] Fedora Reporter: Tomas Hoger <thoger>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 15CC: jj3666, mattias.ellert, mgrepl, rvokal, tmraz
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-28 09:05:37 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 675254    

Description Tomas Hoger 2011-07-01 03:01:30 EDT
fedora-15 tracking bug for openssh: see blocks bug list for full details of the security issue(s).

This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.

[bug automatically created by: add-tracking-bugs]
Comment 1 jj3666 2011-11-28 21:38:19 EST
The blocks bug is closed without listing fedora.  Security scanners are now listing 5.6 as a vulnerability due to due to this problem. Will there be an update to 5.8 in F15, or should I leave the port closed until a scheduled upgrade can be done?
Comment 2 Tomas Mraz 2011-11-29 02:26:42 EST
Do you use the legacy *-cert-v00@openssh.com certificates? If not then you're not vulnerable. This is extremely low impact vulnerability without any known attack. It does not make much sense to update to 5.8 just for this.
Comment 3 jj3666 2011-11-30 00:45:28 EST
I do not use legacy certs, however I use fedora for either a VPN or firewall because the tools are much easier to configure their particular setup.  My clients are required to have a 3rd party vulnerability scan to be in compliance for customer data protection.  They are flagging it level 5 from the CVE, which is a failing status.  I have disabled sshd for now, I was just seeing if it could be packaged, so as not needing scheduled downtime.  Thanks for the reply, I'll just schedule the upgrade, as it is just a few clients, since those running RHEL5 are ok.
Comment 4 Fedora Admin XMLRPC Client 2011-11-30 07:26:22 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 5 Petr Lautrbach 2012-02-28 09:05:37 EST
I believe this is already fixed in openssh-5.6p1-35.fc15:

* Tue Feb 14 2012 Petr Lautrbach <plautrba@redhat.com> 5.6p1-35 + 0.9.2-29
- Fill fields in legacy certificates with random data (#784641)