From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Description of problem: It appears that CVE-2005-2798 has not yet been addressed in RHEL 3.0. From mitre: "sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts." I can find not mention of backporting this fix into the version of openssh included in RHEL 3.0. Version-Release number of selected component (if applicable): How reproducible: Didn't try Steps to Reproduce: Additional info:
The GSSAPI authentication isn't included in RHEL-3 and RHEL-2.1 openssh packages. Although an old GSSAPI patch is included in the source RPM it is not compiled in.