Bug 178930 - GSSAPI credentials can be delegated to clients who log in using non-GSSAPI methods
Summary: GSSAPI credentials can be delegated to clients who log in using non-GSSAPI me...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openssh
Version: 3.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-01-25 16:10 UTC by Paul Waterman
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-01-25 19:42:32 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Paul Waterman 2006-01-25 16:10:21 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915

Description of problem:
It appears that CVE-2005-2798 has not yet been addressed in RHEL 3.0.

From mitre: "sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts."

I can find not mention of backporting this fix into the version of openssh included in RHEL 3.0.

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try

Steps to Reproduce:

  

Additional info:
Comment 1 Tomas Mraz 2006-01-25 19:42:32 UTC 
The GSSAPI authentication isn't included in RHEL-3 and RHEL-2.1 openssh
packages. Although an old GSSAPI patch is included in the source RPM it is not
compiled in.
Note You need to log in before you can comment on or make changes to this bug.