Red Hat Bugzilla – Bug 178930
GSSAPI credentials can be delegated to clients who log in using non-GSSAPI methods
Last modified: 2007-11-30 17:07:09 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915
Description of problem:
It appears that CVE-2005-2798 has not yet been addressed in RHEL 3.0.
From mitre: "sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts."
I can find not mention of backporting this fix into the version of openssh included in RHEL 3.0.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
The GSSAPI authentication isn't included in RHEL-3 and RHEL-2.1 openssh
packages. Although an old GSSAPI patch is included in the source RPM it is not