creating as a clone of bug 207955 (and also bug 207957 which is for fc5) -- create clone doens't seemt o be workign for me for some reason, so copy/pasted int he description from those bugs. Tavis Ormandy of the Google Security Team discovered a denial of service attack on the openssh sshd daemon when ssh protocol version 1 is enabled. This flaw will cause the openssh server to consume a large quantity of the CPU until the specified timeout is reached. The upstream patches can be found here: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.c.diff?r1=1.29&r2=1.30&sortby=date&f=h http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c.diff?r1=1.143&r2=1.144&sortby=date&f=h http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.h.diff?r1=1.9&r2=1.10&sortby=date&f=h
Thanks a bunch, Steven, for entering this bug. Your entry indicates this af- fects RedHat Linux 7.3. Do you know offhand if this affects all the other RHL and FC releases? Thanks!
Ah. Looks indeed like this vulnerability does affect all RHL & FC releases! Michal Jaegermann posted this to the fedora-legacy-list: (<http://www.redhat.com/archives/fedora-legacy-list/2006-October/msg00010.html>) "FC4 source rpm of openssh-4.2p1 with added recent security fixes is available at ftp://ftp.harddata.com/pub/Legacy_srpms/. At least patches for cve-2006-4924 and cve-2006-5051 do not really differ from what you can find in recent RHEL updates so these can likely be applied (close to?) "as is" in earlier distros as well." Thanks, Michal! -David
Red Hat issued two RHSA's on this issue: * RHSA-2006-0697 <https://rhn.redhat.com/errata/RHSA-2006-0697.html> for RHEL 3 and 4 for the CVE's CVE-2006-4924 CVE-2006-5051 (RHEL 3 is sorta comparable to RHL 9, and RHEL 4 is sorta comparable to FC3); * RHSA-2006-0698 <https://rhn.redhat.com/errata/RHSA-2006-0698.html> for RHEL 2.1, for the CVE's CVE-2006-4924 CVE-2006-0225 CVE-2003-0386 CVE-2006-5051 (RHEL 2.1 is sorta comparable to RHL 7.3). Here is the text from the RHSA-2006-0698 with the 4 CVE issues: "Updated openssh packages that fix several security issues in sshd are now available for Red Hat Enterprise Linux 2.1. "This update has been rated as having important security impact by the Red Hat Security Response Team. ... "Mark Dowd discovered a signal handler race condition in the OpenSSH sshd server. A remote attacker could possibly leverage this flaw to cause a denial of service (crash). (CVE-2006-5051) The OpenSSH project believes the likelihood of successful exploitation leading to arbi- trary code execution appears remote. However, the Red Hat Security Response Team have not yet been able to verify this claim due to lack of upstream vulnerability information. We are therefore including a fix for this flaw and have rated it important security severity in the event our continued investigation finds this issue to be exploitable. "Tavis Ormandy of the Google Security Team discovered a denial of service bug in the OpenSSH sshd server. A remote attacker can send a specially crafted SSH-1 request to the server causing sshd to con- sume a large quantity of CPU resources. (CVE-2006-4924) "An arbitrary command execution flaw was discovered in the way scp copies files locally. It is possible for a local attacker to create a file with a carefully crafted name that could execute arbitrary com- mands as the user running scp to copy files locally. (CVE-2006-0225) "The SSH daemon, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass "from=" and "user@host" address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address. (CVE-2003-0386) "All users of openssh should upgrade to these updated packages, which contain backported patches that resolve these issues."
Created attachment 139178 [details] openssh vendor patch patch addressing CVE-2006-4924 and CVE-2006-5051 from openbsd (openssh vendor).
Created attachment 139179 [details] openssh.spec patch patch for openssh.spec. bumps release to fc4.11 and adds vendor supplied patch.
I'm not to bugzilla savvy as is obvious. The above mentioned patches apply fine to openssh-4.2p1-fc4.10.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have created the following SRPMs for openssh: rh7.3: 4e3edd7b1fb6ba3074a832bdae4ee7b53dd10f73 http://lance.maner.org/openssh-3.1p1-14.4.legacy.src.rpm * Tue Oct 31 2006 Donald Maner <donjr> 3.1p1-14.4.legacy - - Patches for CVE-2006-4924, CVE-2003-0386, and CVE-2006-5051 rh9: 65a730513d88cc6b59c11bec75595864ea5a0ad0 http://lance.maner.org/openssh-3.5p1-11.5.legacy.src.rpm * Tue Oct 31 2006 Donald Maner <donjr> 3.5p1-11.5.legacy - - Patches for CVE-2006-4924 and CVE-2006-5051 fc3: 5b945720b2e1aa38dc77c357b1e243d438353c28 http://lance.maner.org/openssh-3.9p1-8.0.5.legacy.src.rpm * Tue Oct 31 2006 Donald Maner <donjr> 3.9p1-8.0.5.legacy - - Patches for CVE-2006-5051 and CVE-2006-4924 fc4: 1c3272b26892d1a96639ae83135065c4bbe59f6e http://lance.maner.org/openssh-4.2p1-fc4.10.1.legacy.src.rpm * Fri Nov 03 2006 Donald Maner <donjr> - 4.3p2-4.10.1.legacy - - CVE-2006-4924 - prevent DoS on deattack detector (#208727) - - CVE-2006-5051 - don't call cleanups from signal handler (#208727) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFFS6oppxMPKJzn2lIRAuFzAJ4wpxhkI3spdUbzv8uICiE2XlS6EgCfUROQ EP00jL2AQ/Q7FlE2GXK0sbU= =g2Yh -----END PGP SIGNATURE-----
Thanks a bunch, Donald! :-)
Since these haven't been QA'd yet, can we re-spin with a patch for CVE-2006-5794? RH just released updates for this. https://rhn.redhat.com/errata/RHSA-2006-0738.html An authentication flaw was found in OpenSSH's privilege separation monitor. If it ever becomes possible to alter the behavior of the unprivileged process when OpenSSH is using privilege separation, an attacker may then be able to login without possessing proper credentials. (CVE-2006-5794). Seems to effect both FC3 and FC4. Since this is a new issue, we don't need to patch it in RH7.3 and RH9...
Fedora Legacy project has ended. These will not be fixed by Fedora Legacy.