Bug 908707 (CVE-2010-5107)
| Summary: | CVE-2010-5107 openssh: Prevent connection slot exhaustion attacks | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | btotty, dmcphers, jialiu, jrusnack, lmeyer, mattias.ellert, mgrepl, mmcgrath, mvanderw, Naoya_Ito, plautrba, ryo_tamura, tmraz, yaliu |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openssh 6.2 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-02-25 09:10:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 908710, 1001879 | ||
| Bug Blocks: | 908713, 974906 | ||
|
Description
Jan Lieskovsky
2013-02-07 11:07:46 UTC
Public reproducer to demonstrate this issue was posted to the oss-security list: http://www.openwall.com/lists/oss-security/2013/02/06/5 http://thread.gmane.org/gmane.comp.security.oss.general/9320 This issue affects the versions of the openssh package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the versions of the openssh package, as shipped with Fedora release of 16, 17, and 18. Please schedule an update. Created openssh tracking bugs for this issue Affects: fedora-all [bug 908710] openssh-6.1p1-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. openssh-5.9p1-29.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. This flaw was addressed upstream by enabling 'random early drop' by default, via the sshd_config file. The default value of 'MaxStartups' is now changed from 10 to 10:30:100 sshd_config man page describes this as follows: 'Alternatively, random early drop can be enabled by specifying the three colon separated values “start:rate:full” (e.g."10:30:60"). sshd(8) will refuse connection attempts with a probability of “rate/100” (30%) if there are currently “start” (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches “full” (60).' This flaw can be mitigated in the versions of OpenSSH shipped with Red Hat Enterprise Linux 5 and 6, by setting the value of 'MaxStartups' as described above. (Values should be changed as per requirement) Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. New default for MaxStartups is used in upstream OpenSSH starting with version 6.2. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1591 https://rhn.redhat.com/errata/RHSA-2013-1591.html This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2013:1527 https://rhn.redhat.com/errata/RHSA-2013-1527.html |