Bug 178930 - GSSAPI credentials can be delegated to clients who log in using non-GSSAPI methods
GSSAPI credentials can be delegated to clients who log in using non-GSSAPI me...
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openssh (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2006-01-25 11:10 EST by Paul Waterman
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-01-25 14:42:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Paul Waterman 2006-01-25 11:10:21 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915

Description of problem:
It appears that CVE-2005-2798 has not yet been addressed in RHEL 3.0.

From mitre: "sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts."

I can find not mention of backporting this fix into the version of openssh included in RHEL 3.0.

Version-Release number of selected component (if applicable):

How reproducible:
Didn't try

Steps to Reproduce:


Additional info:
Comment 1 Tomas Mraz 2006-01-25 14:42:32 EST
The GSSAPI authentication isn't included in RHEL-3 and RHEL-2.1 openssh
packages. Although an old GSSAPI patch is included in the source RPM it is not
compiled in.

Note You need to log in before you can comment on or make changes to this bug.