Red Hat Bugzilla – Bug 718133
CVE-2011-0539 OpenSSH: legacy certificate generation information leak [fedora-15]
Last modified: 2012-02-28 09:05:37 EST
fedora-15 tracking bug for openssh: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
The blocks bug is closed without listing fedora. Security scanners are now listing 5.6 as a vulnerability due to due to this problem. Will there be an update to 5.8 in F15, or should I leave the port closed until a scheduled upgrade can be done?
Do you use the legacy *-email@example.com certificates? If not then you're not vulnerable. This is extremely low impact vulnerability without any known attack. It does not make much sense to update to 5.8 just for this.
I do not use legacy certs, however I use fedora for either a VPN or firewall because the tools are much easier to configure their particular setup. My clients are required to have a 3rd party vulnerability scan to be in compliance for customer data protection. They are flagging it level 5 from the CVE, which is a failing status. I have disabled sshd for now, I was just seeing if it could be packaged, so as not needing scheduled downtime. Thanks for the reply, I'll just schedule the upgrade, as it is just a few clients, since those running RHEL5 are ok.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
I believe this is already fixed in openssh-5.6p1-35.fc15:
* Tue Feb 14 2012 Petr Lautrbach <firstname.lastname@example.org> 5.6p1-35 + 0.9.2-29
- Fill fields in legacy certificates with random data (#784641)