Bug 718133 - CVE-2011-0539 OpenSSH: legacy certificate generation information leak [fedora-15]
CVE-2011-0539 OpenSSH: legacy certificate generation information leak [fedora...
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Petr Lautrbach
Fedora Extras Quality Assurance
: Security, SecurityTracking
Depends On:
Blocks: CVE-2011-0539
  Show dependency treegraph
Reported: 2011-07-01 03:01 EDT by Tomas Hoger
Modified: 2012-02-28 09:05 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-02-28 09:05:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2011-07-01 03:01:30 EDT
fedora-15 tracking bug for openssh: see blocks bug list for full details of the security issue(s).

This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.

[bug automatically created by: add-tracking-bugs]
Comment 1 jj3666 2011-11-28 21:38:19 EST
The blocks bug is closed without listing fedora.  Security scanners are now listing 5.6 as a vulnerability due to due to this problem. Will there be an update to 5.8 in F15, or should I leave the port closed until a scheduled upgrade can be done?
Comment 2 Tomas Mraz 2011-11-29 02:26:42 EST
Do you use the legacy *-cert-v00@openssh.com certificates? If not then you're not vulnerable. This is extremely low impact vulnerability without any known attack. It does not make much sense to update to 5.8 just for this.
Comment 3 jj3666 2011-11-30 00:45:28 EST
I do not use legacy certs, however I use fedora for either a VPN or firewall because the tools are much easier to configure their particular setup.  My clients are required to have a 3rd party vulnerability scan to be in compliance for customer data protection.  They are flagging it level 5 from the CVE, which is a failing status.  I have disabled sshd for now, I was just seeing if it could be packaged, so as not needing scheduled downtime.  Thanks for the reply, I'll just schedule the upgrade, as it is just a few clients, since those running RHEL5 are ok.
Comment 4 Fedora Admin XMLRPC Client 2011-11-30 07:26:22 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 5 Petr Lautrbach 2012-02-28 09:05:37 EST
I believe this is already fixed in openssh-5.6p1-35.fc15:

* Tue Feb 14 2012 Petr Lautrbach <plautrba@redhat.com> 5.6p1-35 + 0.9.2-29
- Fill fields in legacy certificates with random data (#784641)

Note You need to log in before you can comment on or make changes to this bug.