Common Vulnerabilities and Exposures assigned an identifier CVE-2011-5000 to
the following vulnerability:
Reference: FULLDISC:20110801 Useless OpenSSH resources exhausion bug via GSSAPI
The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and
earlier, when gssapi-with-mic authentication is enabled, allows remote
authenticated users to cause a denial of service (memory consumption)
via a large value in a certain length field. NOTE: there may be
limited scenarios in which this issue is relevant.
The upstream fix for this is here:
Also note that this is a POST-authentication bug, meaning that an attacker would need to have valid credentials to successfully authenticate to the server in order to exploit this. If a user already has the ability to log into the server, there are a number of other mechanisms that could be exploited (arguably easier) to consume excessive resources on the server.
Created openssh tracking bugs for this issue
Affects: fedora-all [bug 809939]
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2012:0884 https://rhn.redhat.com/errata/RHSA-2012-0884.html