Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : openssh (SSA:2006-272-02)

{"result": {"cve": [{"id": "CVE-2006-5052", "type": "cve", "title": "CVE-2006-5052", "description": "Unspecified vulnerability in portable OpenSSH before 4.4, when running on some platforms, allows remote attackers to determine the validity of usernames via unknown vectors involving a GSSAPI \"authentication abort.\"", "published": "2006-09-27T19:07:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5052", "cvelist": ["CVE-2006-5052"], "lastseen": "2017-07-20T10:49:33"}, {"id": "CVE-2006-5051", "type": "cve", "title": "CVE-2006-5051", "description": "Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.", "published": "2006-09-27T19:07:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5051", "cvelist": ["CVE-2006-5051"], "lastseen": "2017-07-20T10:49:33"}, {"id": "CVE-2006-4924", "type": "cve", "title": "CVE-2006-4924", "description": "sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector.", "published": "2006-09-26T21:07:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4924", "cvelist": ["CVE-2006-4924"], "lastseen": "2017-07-20T10:49:33"}], "f5": [{"id": "F5:K6876", "type": "f5", "title": "OpenSSH vulnerabilities CVE-2006-5052", "description": "", "published": "2006-12-08T03:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://support.f5.com/csp/article/K6876", "cvelist": ["CVE-2006-5052"], "lastseen": "2017-06-08T00:16:02"}, {"id": "SOL6876", "type": "f5", "title": "SOL6876 - OpenSSH vulnerabilities CVE-2006-5052", "description": "This security advisory describes an OpenSSH vulnerability. OpenSSH versions previous to version 4.4, on platforms with GSSAPI enabled, allow remote attackers to determine the validity of usernames through a Generic Security Services Application Program Interface (GSSAPI) **authentication abort** response.\n\n**Important**: F5 disables GSSAPI by default, although some third-party platforms have GSSAPI enabled.\n\nThe **authentication abort** response is issued when GSSAPI is enabled and a user attempts to log in a certain number of times using an incorrect password. Remote attackers can use this **authentication abort** response to validate whether the username exists on the system.\n\nInformation about this advisory is available at the following location:\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5052>\n\n**Note**: This link takes you to a resource outside of AskF5, and it is possible that the information may be removed without our knowledge.\n", "published": "2006-12-07T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/6000/800/sol6876.html", "cvelist": ["CVE-2006-5052"], "lastseen": "2016-09-26T17:23:07"}, {"id": "SOL6736", "type": "f5", "title": "SOL6736 - OpenSSH vulnerabilities CAN-2006-5051, CAN-2006-4924", "description": "This security advisory describes an OpenSSH Signal Handling vulnerability (CVE-2006-5051). A remote attacker could possibly leverage this flaw to cause a denial of service.\n\nThis security advisory also describes a denial of service bug (CVE-2006-4924) in the OpenSSH **sshd** server. A remote attacker can send a specially crafted SSH-1 request to the server causing the SSH daemon, **sshd**, to consume a large quantity of CPU resources.\n\nInformation about this advisory is available at the following locations:\n\n**Note**: These links take you to a resource outside of AskF5, and it is possible that the documents may be removed without our knowledge.\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051>\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924>\n\n**Note**: The vulnerable F5 products listed use the SSH versions determined to be vulnerable to advisory CVE-2006-5051. However, the GSSAPI authentication features required to exploit the vulnerability are not enabled.\n\nF5 Product Development tracked this issue as CR70329, CR70330, and CR70313 for BIG-IP LTM, BIG-IP GTM and BIG-IP ASM, and it was fixed in version 9.4.2. For information about upgrading, refer to the BIG-IP LTM, GTM, ASM release notes.\n\nF5 Product Development tracked this issue as CR70315 for Enterprise Manager, and it was fixed in version 1.4.1. For information about upgrading, refer to the Enterprise Manager release notes.\n", "published": "2006-10-10T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/6000/700/sol6736.html", "cvelist": ["CVE-2006-5051", "CVE-2006-4924"], "lastseen": "2016-09-26T17:23:16"}, {"id": "SOL14742", "type": "f5", "title": "SOL14742 - OpenSSH vulnerability CVE-2008-4109", "description": "Recommended action\n\nNone \n\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "published": "2013-10-10T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/14000/700/sol14742.html", "cvelist": ["CVE-2006-5051", "CVE-2008-4109"], "lastseen": "2016-11-09T00:09:41"}, {"id": "F5:K6736", "type": "f5", "title": "OpenSSH vulnerabilities CAN-2006-5051, CAN-2006-4924", "description": "", "published": "2006-10-11T04:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://support.f5.com/csp/article/K6736", "cvelist": ["CVE-2006-5051", "CVE-2006-4924"], "lastseen": "2017-06-08T00:16:22"}, {"id": "F5:K6881", "type": "f5", "title": "SSHv1 vulnerabilities CVE-2006-4924", "description": "", "published": "2006-12-12T03:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://support.f5.com/csp/article/K6881", "cvelist": ["CVE-2006-4924"], "lastseen": "2017-06-08T00:16:38"}, {"id": "SOL6881", "type": "f5", "title": "SOL6881 - SSHv1 vulnerabilities CVE-2006-4924", "description": "This security advisory describes an OpenSSH version 1 vulnerability. When using version SSH version 1 protocol, remote attacks cause a denial of service attack when the **sshd** process is used in OpenSSH versions previous to version 4.4. This occurs when using an SSH packet that contains duplicate blocks. The SSH packets that contain duplicate blocks are not handled correctly by the CRC compensation attack detector, which results in high CPU consumption.\n\nInformation about this advisory is available at the following location:\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924>\n", "published": "2006-12-11T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/6000/800/sol6881.html", "cvelist": ["CVE-2006-4924"], "lastseen": "2016-09-26T17:23:06"}], "osvdb": [{"id": "OSVDB:29266", "type": "osvdb", "title": "OpenSSH GSSAPI Authentication Abort Username Enumeration", "description": "## Vulnerability Description\nOpenSSH, when configured to use GSSAPI authentication, is prone to a remote information disclosure weakness. The issue occurs due to the GSSAPI authentication routine responding differently to an attacker who lets the connection proceed normally versus aborting the connection prematurely. This different in the system's response allows an attacker to determine which accounts are valid.\n## Solution Description\nUpgrade to version 4.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nOpenSSH, when configured to use GSSAPI authentication, is prone to a remote information disclosure weakness. The issue occurs due to the GSSAPI authentication routine responding differently to an attacker who lets the connection proceed normally versus aborting the connection prematurely. This different in the system's response allows an attacker to determine which accounts are valid.\n## References:\nVendor Specific News/Changelog Entry: http://openssh.org/txt/release-4.4\n[Vendor Specific Advisory URL](http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.592566)\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200611-06.xml)\n[Vendor Specific Advisory URL](http://lists.suse.com/archive/suse-security-announce/2006-Oct/0005.html)\n[Secunia Advisory ID:22183](https://secuniaresearch.flexerasoftware.com/advisories/22183/)\n[Secunia Advisory ID:22173](https://secuniaresearch.flexerasoftware.com/advisories/22173/)\n[Secunia Advisory ID:22236](https://secuniaresearch.flexerasoftware.com/advisories/22236/)\n[Secunia Advisory ID:22158](https://secuniaresearch.flexerasoftware.com/advisories/22158/)\n[Secunia Advisory ID:22495](https://secuniaresearch.flexerasoftware.com/advisories/22495/)\n[Secunia Advisory ID:22196](https://secuniaresearch.flexerasoftware.com/advisories/22196/)\n[Secunia Advisory ID:22823](https://secuniaresearch.flexerasoftware.com/advisories/22823/)\nRedHat RHSA: RHSA-2006:0698\nRedHat RHSA: RHSA-2006:0697\nOther Advisory URL: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:22.openssh.asc\n[CVE-2006-5052](https://vulners.com/cve/CVE-2006-5052)\n", "published": "2006-09-29T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vulners.com/osvdb/OSVDB:29266", "cvelist": ["CVE-2006-5052"], "lastseen": "2017-04-28T13:20:25"}, {"id": "OSVDB:29264", "type": "osvdb", "title": "OpenSSH Signal Handler Pre-authentication Race Condition Code Execution", "description": "## Vulnerability Description\nOpenSSH (portable) contains a flaw that may allow a remote attacker to execute arbitrary code under some circumstances. When configured with GSSAPI authentication, the signal handler is prone to a race condition that could be exploited to conduct a Denial of Service and possibly execute arbitrary code. No further details have been provided.\n\nNote: On OpenSSH, this vulnerability can only be leveraged for a remote Denial of Service. The conditions for remote exploitation to execute arbitrary code are considered to be unlikely.\n## Solution Description\nUpgrade to version 4.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nOpenSSH (portable) contains a flaw that may allow a remote attacker to execute arbitrary code under some circumstances. When configured with GSSAPI authentication, the signal handler is prone to a race condition that could be exploited to conduct a Denial of Service and possibly execute arbitrary code. No further details have been provided.\n\nNote: On OpenSSH, this vulnerability can only be leveraged for a remote Denial of Service. The conditions for remote exploitation to execute arbitrary code are considered to be unlikely.\n## References:\nVendor Specific News/Changelog Entry: http://marc.theaimsgroup.com/?l=openbsd-cvs&m=115589252024127&w=2\nVendor Specific News/Changelog Entry: http://openssh.org/txt/release-4.4\n[Vendor Specific Advisory URL](http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.592566)\n[Vendor Specific Advisory URL](http://www.mandriva.com/security/advisories?name=MDKSA-2006:179)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2006-216.htm)\n[Vendor Specific Advisory URL](http://www.openbsd.org/errata.html#ssh)\n[Vendor Specific Advisory URL](http://www.ubuntu.com/usn/usn-355-1)\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200611-06.xml)\n[Vendor Specific Advisory URL](http://lists.suse.com/archive/suse-security-announce/2006-Oct/0005.html)\n[Vendor Specific Advisory URL](http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html)\n[Secunia Advisory ID:22173](https://secuniaresearch.flexerasoftware.com/advisories/22173/)\n[Secunia Advisory ID:22183](https://secuniaresearch.flexerasoftware.com/advisories/22183/)\n[Secunia Advisory ID:22236](https://secuniaresearch.flexerasoftware.com/advisories/22236/)\n[Secunia Advisory ID:24805](https://secuniaresearch.flexerasoftware.com/advisories/24805/)\n[Secunia Advisory ID:24799](https://secuniaresearch.flexerasoftware.com/advisories/24799/)\n[Secunia Advisory ID:22158](https://secuniaresearch.flexerasoftware.com/advisories/22158/)\n[Secunia Advisory ID:22245](https://secuniaresearch.flexerasoftware.com/advisories/22245/)\n[Secunia Advisory ID:22362](https://secuniaresearch.flexerasoftware.com/advisories/22362/)\n[Secunia Advisory ID:22352](https://secuniaresearch.flexerasoftware.com/advisories/22352/)\n[Secunia Advisory ID:22495](https://secuniaresearch.flexerasoftware.com/advisories/22495/)\n[Secunia Advisory ID:22487](https://secuniaresearch.flexerasoftware.com/advisories/22487/)\n[Secunia Advisory ID:22196](https://secuniaresearch.flexerasoftware.com/advisories/22196/)\n[Secunia Advisory ID:22208](https://secuniaresearch.flexerasoftware.com/advisories/22208/)\n[Secunia Advisory ID:22270](https://secuniaresearch.flexerasoftware.com/advisories/22270/)\n[Secunia Advisory ID:22823](https://secuniaresearch.flexerasoftware.com/advisories/22823/)\n[Secunia Advisory ID:22926](https://secuniaresearch.flexerasoftware.com/advisories/22926/)\n[Secunia Advisory ID:23680](https://secuniaresearch.flexerasoftware.com/advisories/23680/)\nRedHat RHSA: RHSA-2006:0698\nRedHat RHSA: RHSA-2006:0697-9\nRedHat RHSA: RHSA-2006:0697\nOther Advisory URL: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:22.openssh.asc\nOther Advisory URL: http://www.us.debian.org/security/2006/dsa-1189\nOther Advisory URL: http://www.us.debian.org/security/2006/dsa-1212\nOther Advisory URL: http://www-unix.globus.org/mail_archive/security-announce/2007/04/msg00000.html\nISS X-Force ID: 29254\n[CVE-2006-5051](https://vulners.com/cve/CVE-2006-5051)\nBugtraq ID: 20241\n", "published": "2006-09-28T09:33:49", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:29264", "cvelist": ["CVE-2006-5051"], "lastseen": "2017-04-28T13:20:25"}, {"id": "OSVDB:29152", "type": "osvdb", "title": "OpenSSH Identical Block Packet DoS", "description": "## Vulnerability Description\nOpenSSH contains a flaw that may allow a pre-authentication remote denial of service. The issue is triggered when SSH version 1 is used via an SSH packet that contains duplicate blocks, and will result in loss of availability for the service.\n## Technical Description\nThis issue can only be exploited when the version 1 SSH protocol is enabled.\n## Solution Description\nUpgrade to version 4.4 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): disable SSH protocol version 1 in /etc/ssh/sshd_config\n## Short Description\nOpenSSH contains a flaw that may allow a pre-authentication remote denial of service. The issue is triggered when SSH version 1 is used via an SSH packet that contains duplicate blocks, and will result in loss of availability for the service.\n## References:\nVendor Specific News/Changelog Entry: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.c?rev=1.30&content-type=text/x-cvsweb-markup\nVendor Specific News/Changelog Entry: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207955\nVendor Specific News/Changelog Entry: http://openssh.org/txt/release-4.4\n[Vendor Specific Advisory URL](http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.592566)\n[Vendor Specific Advisory URL](http://www.trustix.org/errata/2006/0054/)\n[Vendor Specific Advisory URL](http://www.mandriva.com/security/advisories?name=MDKSA-2006:179)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc)\n[Vendor Specific Advisory URL](http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2006-262.htm)\n[Vendor Specific Advisory URL](https://issues.rpath.com/browse/RPL-661)\n[Vendor Specific Advisory URL](http://lists.suse.com/archive/suse-security-announce/2006-Oct/0001.html)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2006-216.htm)\n[Vendor Specific Advisory URL](http://www.openbsd.org/errata.html#ssh)\n[Vendor Specific Advisory URL](http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=115939141729160&w=2)\n[Vendor Specific Advisory URL](http://www.ubuntu.com/usn/usn-355-1)\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200609-17.xml)\n[Vendor Specific Advisory URL](http://lists.suse.com/archive/suse-security-announce/2006-Oct/0005.html)\n[Vendor Specific Advisory URL](http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html)\n[Secunia Advisory ID:22183](https://secuniaresearch.flexerasoftware.com/advisories/22183/)\n[Secunia Advisory ID:22236](https://secuniaresearch.flexerasoftware.com/advisories/22236/)\n[Secunia Advisory ID:23340](https://secuniaresearch.flexerasoftware.com/advisories/23340/)\n[Secunia Advisory ID:24805](https://secuniaresearch.flexerasoftware.com/advisories/24805/)\n[Secunia Advisory ID:24799](https://secuniaresearch.flexerasoftware.com/advisories/24799/)\n[Secunia Advisory ID:22091](https://secuniaresearch.flexerasoftware.com/advisories/22091/)\n[Secunia Advisory ID:22158](https://secuniaresearch.flexerasoftware.com/advisories/22158/)\n[Secunia Advisory ID:22245](https://secuniaresearch.flexerasoftware.com/advisories/22245/)\n[Secunia Advisory ID:22362](https://secuniaresearch.flexerasoftware.com/advisories/22362/)\n[Secunia Advisory ID:22352](https://secuniaresearch.flexerasoftware.com/advisories/22352/)\n[Secunia Advisory ID:22495](https://secuniaresearch.flexerasoftware.com/advisories/22495/)\n[Secunia Advisory ID:23241](https://secuniaresearch.flexerasoftware.com/advisories/23241/)\n[Secunia Advisory ID:21923](https://secuniaresearch.flexerasoftware.com/advisories/21923/)\n[Secunia Advisory ID:22116](https://secuniaresearch.flexerasoftware.com/advisories/22116/)\n[Secunia Advisory ID:22487](https://secuniaresearch.flexerasoftware.com/advisories/22487/)\n[Secunia Advisory ID:25608](https://secuniaresearch.flexerasoftware.com/advisories/25608/)\n[Secunia Advisory ID:22164](https://secuniaresearch.flexerasoftware.com/advisories/22164/)\n[Secunia Advisory ID:22196](https://secuniaresearch.flexerasoftware.com/advisories/22196/)\n[Secunia Advisory ID:22208](https://secuniaresearch.flexerasoftware.com/advisories/22208/)\n[Secunia Advisory ID:22270](https://secuniaresearch.flexerasoftware.com/advisories/22270/)\n[Secunia Advisory ID:22298](https://secuniaresearch.flexerasoftware.com/advisories/22298/)\n[Secunia Advisory ID:22926](https://secuniaresearch.flexerasoftware.com/advisories/22926/)\n[Secunia Advisory ID:23038](https://secuniaresearch.flexerasoftware.com/advisories/23038/)\n[Secunia Advisory ID:23680](https://secuniaresearch.flexerasoftware.com/advisories/23680/)\nRedHat RHSA: RHSA-2006:0698\nRedHat RHSA: RHSA-2006:0697\nOther Advisory URL: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:22.openssh.asc\nOther Advisory URL: http://www.us.debian.org/security/2006/dsa-1189\nOther Advisory URL: http://www.us.debian.org/security/2006/dsa-1212\nOther Advisory URL: http://www-unix.globus.org/mail_archive/security-announce/2007/04/msg00000.html\nOther Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102962-1\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-12/0091.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-12/0306.html\nGeneric Exploit URL: http://www.milw0rm.com/exploits/2444\n[CVE-2006-4924](https://vulners.com/cve/CVE-2006-4924)\nBugtraq ID: 20216\n", "published": "2006-09-25T06:34:16", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:29152", "cvelist": ["CVE-2006-4924"], "lastseen": "2017-04-28T13:20:25"}], "openvas": [{"id": "OPENVAS:861170", "type": "openvas", "title": "Fedora Update for openssh FEDORA-2007-394", "description": "Check for the Version of openssh", "published": "2009-02-27T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=861170", "cvelist": ["CVE-2006-5052"], "lastseen": "2017-07-25T10:56:11"}, {"id": "OPENVAS:57919", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200611-06 (openssh)", "description": "The remote host is missing updates announced in\nadvisory GLSA 200611-06.", "published": "2008-09-24T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=57919", "cvelist": ["CVE-2006-5052", "CVE-2006-5051"], "lastseen": "2017-07-24T12:50:20"}, {"id": "OPENVAS:1361412562310122637", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2007-0540", "description": "Oracle Linux Local Security Checks ELSA-2007-0540", "published": "2015-10-08T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122637", "cvelist": ["CVE-2006-5052", "CVE-2007-3102"], "lastseen": "2017-07-24T12:53:55"}, {"id": "OPENVAS:57492", "type": "openvas", "title": "Slackware Advisory SSA:2006-272-02 openssh", "description": "The remote host is missing an update as announced\nvia advisory SSA:2006-272-02.", "published": "2012-09-11T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=57492", "cvelist": ["CVE-2006-5052", "CVE-2006-5051", "CVE-2006-4924"], "lastseen": "2017-07-24T12:51:17"}, {"id": "OPENVAS:861319", "type": "openvas", "title": "Fedora Update for openssh FEDORA-2007-395", "description": "Check for the Version of openssh", "published": "2009-02-27T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=861319", "cvelist": ["CVE-2006-5052", "CVE-2006-5051", "CVE-2006-5794", "CVE-2006-4924"], "lastseen": "2017-07-25T10:56:56"}, {"id": "OPENVAS:65248", "type": "openvas", "title": "SLES9: Security update for OpenSSH", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n openssh\n openssh-askpass\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5019505 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "published": "2009-10-10T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=65248", "cvelist": ["CVE-2006-5052", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-4924"], "lastseen": "2017-07-26T08:56:22"}, {"id": "OPENVAS:57585", "type": "openvas", "title": "Debian Security Advisory DSA 1212-1 (openssh (1:3.8.1p1-8.sarge.6))", "description": "The remote host is missing an update to openssh (1:3.8.1p1-8.sarge.6)\nannounced via advisory DSA 1212-1.\n\nTwo denial of service vulnerabilities have been found in the OpenSSH\nserver.\n\nCVE-2006-4924\nThe sshd support for ssh protcol version 1 does not properly\nhandle duplicate incoming blocks. This could allow a remote\nattacker to cause sshd to consume significant CPU resources\nleading to a denial of service.\n\nCVE-2006-5051\nA signal handler race condition could potentially allow a remote\nattacker to crash sshd and could theoretically lead to the\nability to execute arbitrary code.", "published": "2008-01-17T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=57585", "cvelist": ["CVE-2006-5051", "CVE-2006-4924"], "lastseen": "2017-07-24T12:50:16"}, {"id": "OPENVAS:57476", "type": "openvas", "title": "FreeBSD Security Advisory (FreeBSD-SA-06:22.openssh.asc)", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory FreeBSD-SA-06:22.openssh.asc", "published": "2008-09-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=57476", "cvelist": ["CVE-2006-5051", "CVE-2006-4924"], "lastseen": "2017-07-02T21:10:10"}, {"id": "OPENVAS:61639", "type": "openvas", "title": "Debian Security Advisory DSA 1638-1 (openssh)", "description": "The remote host is missing an update to openssh\nannounced via advisory DSA 1638-1.", "published": "2008-09-24T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=61639", "cvelist": ["CVE-2006-5051", "CVE-2008-4109"], "lastseen": "2017-07-24T12:50:09"}, {"id": "OPENVAS:57483", "type": "openvas", "title": "Debian Security Advisory DSA 1189-1 (openssh-krb5)", "description": "The remote host is missing an update to openssh-krb5\nannounced via advisory DSA 1189-1.\n\nSeveral remote vulnerabilities have been discovered in OpenSSH, a free\nimplementation of the Secure Shell protocol, which may lead to denial of\nservice and potentially the execution of arbitrary code. The Common\nVulnerabilities and Exposures project identifies the following problems:\n\nCVE-2006-4924\n\nTavis Ormandy of the Google Security Team discovered a denial of\nservice vulnerability in the mitigation code against complexity\nattacks, which might lead to increased CPU consumption until a\ntimeout is triggered. This is only exploitable if support for\nSSH protocol version 1 is enabled.\n\nCVE-2006-5051\n\nMark Dowd discovered that insecure signal handler usage could\npotentially lead to execution of arbitrary code through a double\nfree. The Debian Security Team doesn't believe the general openssh\npackage without Kerberos support to be exploitable by this issue.\nHowever, due to the complexity of the underlying code we will\nissue an update to rule out all eventualities.", "published": "2008-01-17T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=57483", "cvelist": ["CVE-2006-5051", "CVE-2006-4924"], "lastseen": "2017-07-24T12:50:05"}], "nessus": [{"id": "CENTOS_RHSA-2007-0703.NASL", "type": "nessus", "title": "CentOS 4 : openssh (CESA-2007:0703)", "description": "Updated openssh packages that fix two security issues and various bugs are now available.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server.\n\nA flaw was found in the way the ssh server wrote account names to the audit subsystem. An attacker could inject strings containing parts of audit messages which could possibly mislead or confuse audit log parsing tools. (CVE-2007-3102)\n\nA flaw was found in the way the OpenSSH server processes GSSAPI authentication requests. When GSSAPI authentication was enabled in OpenSSH server, a remote attacker may have been able to determine if a username is valid. (CVE-2006-5052)\n\nThe following bugs were also fixed :\n\n* the ssh daemon did not generate audit messages when an ssh session was closed.\n\n* GSSAPI authentication sometimes failed on clusters using DNS or load-balancing.\n\n* the sftp client and server leaked small amounts of memory in some cases.\n\n* the sftp client didn't properly exit and return non-zero status in batch mode when the destination disk drive was full.\n\n* when restarting the ssh daemon with the initscript, the ssh daemon was sometimes not restarted successfully because the old running ssh daemon was not properly killed.\n\n* with challenge/response authentication enabled, the pam sub-process was not terminated if the user authentication timed out.\n\nAll users of openssh should upgrade to these updated packages, which contain patches to correct these issues.", "published": "2013-06-29T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=67053", "cvelist": ["CVE-2006-5052", "CVE-2007-3102"], "lastseen": "2016-09-26T17:24:48"}, {"id": "SL_20071109_OPENSSH_ON_SL5.NASL", "type": "nessus", "title": "Scientific Linux Security Update : openssh on SL5.x", "description": "Problem description :\n\nA flaw was found in the way the ssh server wrote account names to the audit subsystem. An attacker could inject strings containing parts of audit messages, which could possibly mislead or confuse audit log parsing tools. (CVE-2007-3102)\n\nA flaw was found in the way the OpenSSH server processes GSSAPI authentication requests. When GSSAPI authentication was enabled in the OpenSSH server, a remote attacker was potentially able to determine if a username is valid. (CVE-2006-5052)\n\nThe following bugs in SELinux MLS (Multi-Level Security) support has also been fixed in this update :\n\n - It was sometimes not possible to select a SELinux role and level when logging in using ssh.\n\n - If the user obtained a non-default SELinux role or level, the role change was not recorded in the audit subsystem.\n\n - In some cases, on labeled networks, sshd allowed logins from level ranges it should not allow.\n\nThe updated packages also contain experimental support for using private keys stored in PKCS#11 tokens for client authentication. The support is provided through the NSS (Network Security Services) library.", "published": "2012-08-01T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=60296", "cvelist": ["CVE-2006-5052", "CVE-2007-3102"], "lastseen": "2016-09-26T17:24:20"}, {"id": "SL_20071115_OPENSSH_ON_SL4_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : openssh on SL4.x i386/x86_64", "description": "A flaw was found in the way the ssh server wrote account names to the audit subsystem. An attacker could inject strings containing parts of audit messages which could possibly mislead or confuse audit log parsing tools. (CVE-2007-3102)\n\nA flaw was found in the way the OpenSSH server processes GSSAPI authentication requests. When GSSAPI authentication was enabled in OpenSSH server, a remote attacker may have been able to determine if a username is valid. (CVE-2006-5052)\n\nThe following bugs were also fixed :\n\n - the ssh daemon did not generate audit messages when an ssh session was closed.\n\n - GSSAPI authentication sometimes failed on clusters using DNS or load-balancing.\n\n - the sftp client and server leaked small amounts of memory in some cases.\n\n - the sftp client didn't properly exit and return non-zero status in batch mode when the destination disk drive was full.\n\n - when restarting the ssh daemon with the initscript, the ssh daemon was sometimes not restarted successfully because the old running ssh daemon was not properly killed.\n\n - with challenge/response authentication enabled, the pam sub-process was not terminated if the user authentication timed out.", "published": "2012-08-01T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=60306", "cvelist": ["CVE-2006-5052", "CVE-2007-3102"], "lastseen": "2016-09-26T17:24:07"}, {"id": "REDHAT-RHSA-2007-0540.NASL", "type": "nessus", "title": "RHEL 5 : openssh (RHSA-2007:0540)", "description": "Updated openssh packages that fix a security issue and various bugs are now available.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server.\n\nA flaw was found in the way the ssh server wrote account names to the audit subsystem. An attacker could inject strings containing parts of audit messages, which could possibly mislead or confuse audit log parsing tools. (CVE-2007-3102)\n\nA flaw was found in the way the OpenSSH server processes GSSAPI authentication requests. When GSSAPI authentication was enabled in the OpenSSH server, a remote attacker was potentially able to determine if a username is valid. (CVE-2006-5052)\n\nThe following bugs in SELinux MLS (Multi-Level Security) support has also been fixed in this update :\n\n* It was sometimes not possible to select a SELinux role and level when logging in using ssh.\n\n* If the user obtained a non-default SELinux role or level, the role change was not recorded in the audit subsystem.\n\n* In some cases, on labeled networks, sshd allowed logins from level ranges it should not allow.\n\nThe updated packages also contain experimental support for using private keys stored in PKCS#11 tokens for client authentication. The support is provided through the NSS (Network Security Services) library.\n\nAll users of openssh should upgrade to these updated packages, which contain patches to correct these issues.", "published": "2007-11-08T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=27829", "cvelist": ["CVE-2006-5052", "CVE-2007-3102"], "lastseen": "2016-12-30T02:14:02"}, {"id": "REDHAT-RHSA-2007-0703.NASL", "type": "nessus", "title": "RHEL 4 : openssh (RHSA-2007:0703)", "description": "Updated openssh packages that fix two security issues and various bugs are now available.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server.\n\nA flaw was found in the way the ssh server wrote account names to the audit subsystem. An attacker could inject strings containing parts of audit messages which could possibly mislead or confuse audit log parsing tools. (CVE-2007-3102)\n\nA flaw was found in the way the OpenSSH server processes GSSAPI authentication requests. When GSSAPI authentication was enabled in OpenSSH server, a remote attacker may have been able to determine if a username is valid. (CVE-2006-5052)\n\nThe following bugs were also fixed :\n\n* the ssh daemon did not generate audit messages when an ssh session was closed.\n\n* GSSAPI authentication sometimes failed on clusters using DNS or load-balancing.\n\n* the sftp client and server leaked small amounts of memory in some cases.\n\n* the sftp client didn't properly exit and return non-zero status in batch mode when the destination disk drive was full.\n\n* when restarting the ssh daemon with the initscript, the ssh daemon was sometimes not restarted successfully because the old running ssh daemon was not properly killed.\n\n* with challenge/response authentication enabled, the pam sub-process was not terminated if the user authentication timed out.\n\nAll users of openssh should upgrade to these updated packages, which contain patches to correct these issues.", "published": "2007-11-16T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=28237", "cvelist": ["CVE-2006-5052", "CVE-2007-3102"], "lastseen": "2016-12-30T02:15:23"}, {"id": "GENTOO_GLSA-200611-06.NASL", "type": "nessus", "title": "GLSA-200611-06 : OpenSSH: Multiple Denial of Service vulnerabilities", "description": "The remote host is affected by the vulnerability described in GLSA-200611-06 (OpenSSH: Multiple Denial of Service vulnerabilities)\n\n Tavis Ormandy of the Google Security Team has discovered a pre-authentication vulnerability, causing sshd to spin until the login grace time has been expired. Mark Dowd found an unsafe signal handler that was vulnerable to a race condition. It has also been discovered that when GSSAPI authentication is enabled, GSSAPI will in certain cases incorrectly abort.\n Impact :\n\n The pre-authentication and signal handler vulnerabilities can cause a Denial of Service in OpenSSH. The vulnerability in the GSSAPI authentication abort could be used to determine the validity of usernames on some platforms.\n Workaround :\n\n There is no known workaround at this time.", "published": "2006-11-20T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=23671", "cvelist": ["CVE-2006-5052", "CVE-2006-5051"], "lastseen": "2016-09-26T17:23:05"}, {"id": "ORACLELINUX_ELSA-2006-0697.NASL", "type": "nessus", "title": "Oracle Linux 4 : openssh (ELSA-2006-0697)", "description": "From Red Hat Security Advisory 2006:0697 :\n\nUpdated openssh packages that fix two security flaws are now available for Red Hat Enterprise Linux 3 and 4.\n\nThis update has been rated as having important security impact by the Red Hat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server.\n\nMark Dowd discovered a signal handler race condition in the OpenSSH sshd server. A remote attacker could possibly leverage this flaw to cause a denial of service (crash). (CVE-2006-5051) The OpenSSH project believes the likelihood of successful exploitation leading to arbitrary code execution appears remote. However, the Red Hat Security Response Team have not yet been able to verify this claim due to lack of upstream vulnerability information. We are therefore including a fix for this flaw and have rated it important security severity in the event our continued investigation finds this issue to be exploitable.\n\nTavis Ormandy of the Google Security Team discovered a denial of service bug in the OpenSSH sshd server. A remote attacker can send a specially crafted SSH-1 request to the server causing sshd to consume a large quantity of CPU resources. (CVE-2006-4924)\n\nAll users of openssh should upgrade to these updated packages, which contain backported patches that resolves these issues.", "published": "2013-07-12T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=67412", "cvelist": ["CVE-2006-5052", "CVE-2006-5051", "CVE-2006-4924"], "lastseen": "2016-12-08T05:39:17"}, {"id": "CENTOS_RHSA-2006-0697.NASL", "type": "nessus", "title": "CentOS 3 / 4 : openssh / openssl (CESA-2006:0697)", "description": "Updated openssh packages that fix two security flaws are now available for Red Hat Enterprise Linux 3 and 4.\n\nThis update has been rated as having important security impact by the Red Hat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server.\n\nMark Dowd discovered a signal handler race condition in the OpenSSH sshd server. A remote attacker could possibly leverage this flaw to cause a denial of service (crash). (CVE-2006-5051) The OpenSSH project believes the likelihood of successful exploitation leading to arbitrary code execution appears remote. However, the Red Hat Security Response Team have not yet been able to verify this claim due to lack of upstream vulnerability information. We are therefore including a fix for this flaw and have rated it important security severity in the event our continued investigation finds this issue to be exploitable.\n\nTavis Ormandy of the Google Security Team discovered a denial of service bug in the OpenSSH sshd server. A remote attacker can send a specially crafted SSH-1 request to the server causing sshd to consume a large quantity of CPU resources. (CVE-2006-4924)\n\nAll users of openssh should upgrade to these updated packages, which contain backported patches that resolves these issues.", "published": "2006-10-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=22485", "cvelist": ["CVE-2006-5052", "CVE-2006-5051", "CVE-2006-4924"], "lastseen": "2016-11-18T05:27:47"}, {"id": "REDHAT-RHSA-2006-0697.NASL", "type": "nessus", "title": "RHEL 3 / 4 : openssh (RHSA-2006:0697)", "description": "Updated openssh packages that fix two security flaws are now available for Red Hat Enterprise Linux 3 and 4.\n\nThis update has been rated as having important security impact by the Red Hat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server.\n\nMark Dowd discovered a signal handler race condition in the OpenSSH sshd server. A remote attacker could possibly leverage this flaw to cause a denial of service (crash). (CVE-2006-5051) The OpenSSH project believes the likelihood of successful exploitation leading to arbitrary code execution appears remote. However, the Red Hat Security Response Team have not yet been able to verify this claim due to lack of upstream vulnerability information. We are therefore including a fix for this flaw and have rated it important security severity in the event our continued investigation finds this issue to be exploitable.\n\nTavis Ormandy of the Google Security Team discovered a denial of service bug in the OpenSSH sshd server. A remote attacker can send a specially crafted SSH-1 request to the server causing sshd to consume a large quantity of CPU resources. (CVE-2006-4924)\n\nAll users of openssh should upgrade to these updated packages, which contain backported patches that resolves these issues.", "published": "2006-09-29T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=22473", "cvelist": ["CVE-2006-5052", "CVE-2006-5051", "CVE-2006-4924"], "lastseen": "2016-12-30T02:16:01"}, {"id": "SUSE_OPENSSH-2183.NASL", "type": "nessus", "title": "openSUSE 10 Security Update : openssh (openssh-2183)", "description": "Several security problems were fixed in OpenSSH :\n\n - CVE-2006-4924: A denial of service problem has been fixed in OpenSSH which could be used to cause lots of CPU consumption on a remote openssh server.\n\n - CVE-2006-4925: If a remote attacker is able to inject network traffic this could be used to cause a client connection to close.\n\n - CVE-2006-5051: Fixed an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. This vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote.\n\n - CVE-2006-5052: Fixed a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms.", "published": "2007-10-17T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=27365", "cvelist": ["CVE-2006-5052", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-4924"], "lastseen": "2016-12-23T06:13:45"}], "oraclelinux": [{"id": "ELSA-2007-0703", "type": "oraclelinux", "title": "openssh security and bug fix update", "description": "[3.9p1-8.RHEL4.24]\n- return correct exit status on failed write on sftp batch mode (#247802)\n[3.9p1-8.RHEL4.23]\n- some more mem leaks fix in sftp (#240909)\n[3.9p1-8.RHEL4.22]\n- CVE-2007-3102 escape account name to prevent audit log injection (#248058)\n[3.9p1-8.RHEL4.21]\n- move pam session calls so pam_close_session is always called (#216689)\n- get canonical hostname for gssapi (#216854)\n- CVE-2006-5052 dont leak info about user existence with krb5 auth (#234643)\n- fix some memory leaks in sftp (#240909)\n- correctly kill sshd in initscript (#244655)\n- close unused ends of sockets so [pam] child is always terminated (#247440)", "published": "2007-11-27T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://linux.oracle.com/errata/ELSA-2007-0703.html", "cvelist": ["CVE-2006-5052", "CVE-2007-3102"], "lastseen": "2016-09-04T11:16:39"}, {"id": "ELSA-2007-0540", "type": "oraclelinux", "title": "openssh security and bug fix update", "description": "[4.3p2-24]\n- fixed audit log injection problem (CVE-2007-3102) (#248059)\n[4.3p2-23]\n- document where the nss certificate and token dbs are looked for\n[4.3p2-22]\n- experimental support for PKCS#11 tokens through libnss3 (#183423)\n[4.3p2-21]\n- fix an information leak in Kerberos password authentication (CVE-2006-5052)\n (#234638)\n- correctly setup context when empty level requested (#234951)\n[4.3p2-20]\n- and always request default level as returned by getseuserbyname (#231695)\n[4.3p2-19]\n- check requested level context against a context with the same role (#231695)\n[4.3p2-18]\n- reject connection if requested mls range is not obtained (#229278)\n[4.3p2-17]\n- allow selecting non-default roles and audit role changes (#227733)", "published": "2007-11-19T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://linux.oracle.com/errata/ELSA-2007-0540.html", "cvelist": ["CVE-2006-5052", "CVE-2007-3102"], "lastseen": "2016-09-04T11:16:46"}, {"id": "ELSA-2006-0697", "type": "oraclelinux", "title": "Important openssh security update ", "description": " [3.9p1-8.RHEL4.17]\n - CVE-2006-5051 don't call cleanups from signal handler (#208347)\n \n [3.9p1-8.RHEL4.16]\n - CVE-2006-4924 prevent DoS on deattack detector code (#207955) ", "published": "2006-11-30T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2006-0697.html", "cvelist": ["CVE-2006-5051", "CVE-2006-4924"], "lastseen": "2016-09-04T11:17:07"}], "redhat": [{"id": "RHSA-2007:0540", "type": "redhat", "title": "(RHSA-2007:0540) Moderate: openssh security and bug fix update", "description": "OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. These\npackages include the core files necessary for both the OpenSSH client and\nserver.\n\nA flaw was found in the way the ssh server wrote account names to the audit\nsubsystem. An attacker could inject strings containing parts of audit\nmessages, which could possibly mislead or confuse audit log parsing tools.\n(CVE-2007-3102)\n\nA flaw was found in the way the OpenSSH server processes GSSAPI\nauthentication requests. When GSSAPI authentication was enabled in the\nOpenSSH server, a remote attacker was potentially able to determine if a\nusername is valid. (CVE-2006-5052)\n\nThe following bugs in SELinux MLS (Multi-Level Security) support has also\nbeen fixed in this update:\n\n* It was sometimes not possible to select a SELinux role and level when\nlogging in using ssh.\n\n* If the user obtained a non-default SELinux role or level, the role change\nwas not recorded in the audit subsystem.\n\n* In some cases, on labeled networks, sshd allowed logins from level ranges\nit should not allow.\n\nThe updated packages also contain experimental support for using private\nkeys stored in PKCS#11 tokens for client authentication. The support is\nprovided through the NSS (Network Security Services) library.\n\nAll users of openssh should upgrade to these updated packages, which\ncontain patches to correct these issues.", "published": "2007-11-07T05:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2007:0540", "cvelist": ["CVE-2006-5052", "CVE-2007-3102"], "lastseen": "2017-09-08T08:04:50"}, {"id": "RHSA-2007:0703", "type": "redhat", "title": "(RHSA-2007:0703) Moderate: openssh security and bug fix update", "description": "OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. These\npackages include the core files necessary for both the OpenSSH client and\nserver.\n\nA flaw was found in the way the ssh server wrote account names to the\naudit subsystem. An attacker could inject strings containing parts of audit\nmessages which could possibly mislead or confuse audit log parsing tools.\n(CVE-2007-3102)\n\nA flaw was found in the way the OpenSSH server processes GSSAPI\nauthentication requests. When GSSAPI authentication was enabled in OpenSSH\nserver, a remote attacker may have been able to determine if a username is\nvalid. (CVE-2006-5052)\n\nThe following bugs were also fixed:\n\n* the ssh daemon did not generate audit messages when an ssh session was\nclosed.\n\n* GSSAPI authentication sometimes failed on clusters using DNS or\nload-balancing.\n\n* the sftp client and server leaked small amounts of memory in some cases.\n\n* the sftp client didn't properly exit and return non-zero status in batch\nmode when the destination disk drive was full.\n\n* when restarting the ssh daemon with the initscript, the ssh daemon was\nsometimes not restarted successfully because the old running ssh daemon was\nnot properly killed.\n\n* with challenge/response authentication enabled, the pam sub-process was\nnot terminated if the user authentication timed out.\n\nAll users of openssh should upgrade to these updated packages, which\ncontain patches to correct these issues.", "published": "2007-11-15T05:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2007:0703", "cvelist": ["CVE-2006-5052", "CVE-2007-3102"], "lastseen": "2017-09-09T07:19:51"}, {"id": "RHSA-2006:0697", "type": "redhat", "title": "(RHSA-2006:0697) openssh security update", "description": "OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\r\npackage includes the core files necessary for both the OpenSSH client and\r\nserver.\r\n\r\nMark Dowd discovered a signal handler race condition in the OpenSSH sshd\r\nserver. A remote attacker could possibly leverage this flaw to cause a\r\ndenial of service (crash). (CVE-2006-5051) The OpenSSH project believes the\r\nlikelihood of successful exploitation leading to arbitrary code execution\r\nappears remote. However, the Red Hat Security Response Team have not yet\r\nbeen able to verify this claim due to lack of upstream vulnerability\r\ninformation. We are therefore including a fix for this flaw and have rated\r\nit important security severity in the event our continued investigation\r\nfinds this issue to be exploitable.\r\n\r\nTavis Ormandy of the Google Security Team discovered a denial of service\r\nbug in the OpenSSH sshd server. A remote attacker can send a specially\r\ncrafted SSH-1 request to the server causing sshd to consume a large\r\nquantity of CPU resources. (CVE-2006-4924)\r\n\r\nAll users of openssh should upgrade to these updated packages, which\r\ncontain backported patches that resolves these issues.", "published": "2006-09-28T04:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2006:0697", "cvelist": ["CVE-2006-4924", "CVE-2006-5051"], "lastseen": "2017-09-09T07:20:13"}], "centos": [{"id": "CESA-2007:0703", "type": "centos", "title": "openssh security update", "description": "**CentOS Errata and Security Advisory** CESA-2007:0703\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2007-November/014421.html\nhttp://lists.centos.org/pipermail/centos-announce/2007-November/014430.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-askpass-gnome\nopenssh-clients\nopenssh-server\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2007-0703.html", "published": "2007-11-15T15:52:23", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2007-November/014421.html", "cvelist": ["CVE-2006-5052", "CVE-2007-3102"], "lastseen": "2016-12-05T20:06:56"}, {"id": "CESA-2006:0697", "type": "centos", "title": "openssh, openssl, openssl096b security update", "description": "**CentOS Errata and Security Advisory** CESA-2006:0697\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2006-September/013294.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-September/013295.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-September/013296.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-September/013300.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-September/013301.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-September/013302.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-September/013304.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-September/013305.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-September/013308.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-askpass-gnome\nopenssh-clients\nopenssh-server\nopenssl\nopenssl-devel\nopenssl-perl\nopenssl096b\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2006-0697.html", "published": "2006-09-29T03:31:38", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2006-September/013294.html", "cvelist": ["CVE-2006-5051", "CVE-2006-4924"], "lastseen": "2016-12-05T20:06:15"}, {"id": "CESA-2006:0698", "type": "centos", "title": "Important openssh security update", "description": "Upstream details at : https://rhn.redhat.com/errata/RHSA-2006-0698.html\nUpdate to the following versions:\nCentOS 2:\n\t- openssh-3.1p1-21.i386.rpm\n\t- openssh-askpass-3.1p1-21.i386.rpm\n\t- openssh-askpass-gnome-3.1p1-21.i386.rpm\n\t- openssh-clients-3.1p1-21.i386.rpm\n\t- openssh-server-3.1p1-21.i386.rpm", "published": "2006-10-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2006-October/013310.html", "cvelist": ["CVE-2006-5051", "CVE-2006-0225", "CVE-2003-0386", "CVE-2006-4924"], "lastseen": "2016-09-02T18:52:08"}], "gentoo": [{"id": "GLSA-200611-06", "type": "gentoo", "title": "OpenSSH: Multiple Denial of Service vulnerabilities", "description": "### Background\n\nOpenSSH is a complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. \n\n### Description\n\nTavis Ormandy of the Google Security Team has discovered a pre-authentication vulnerability, causing sshd to spin until the login grace time has been expired. Mark Dowd found an unsafe signal handler that was vulnerable to a race condition. It has also been discovered that when GSSAPI authentication is enabled, GSSAPI will in certain cases incorrectly abort. \n\n### Impact\n\nThe pre-authentication and signal handler vulnerabilities can cause a Denial of Service in OpenSSH. The vulnerability in the GSSAPI authentication abort could be used to determine the validity of usernames on some platforms. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll OpenSSH users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/openssh-4.4_p1-r5\"", "published": "2006-11-13T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/200611-06", "cvelist": ["CVE-2006-5052", "CVE-2006-5051"], "lastseen": "2016-09-06T19:46:17"}, {"id": "GLSA-200609-17", "type": "gentoo", "title": "OpenSSH: Denial of Service", "description": "### Background\n\nOpenSSH is a free suite of applications for the SSH protocol, developed and maintained by the OpenBSD project. \n\n### Description\n\nTavis Ormandy of the Google Security Team discovered a Denial of Service vulnerability in the SSH protocol version 1 CRC compensation attack detector. \n\n### Impact\n\nA remote unauthenticated attacker may be able to trigger excessive CPU usage by sending a pathological SSH message, denying service to other legitimate users or processes. \n\n### Workaround\n\nThe system administrator may disable SSH protocol version 1 in /etc/ssh/sshd_config. \n\n### Resolution\n\nAll OpenSSH users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/openssh-4.3_p2-r5\"", "published": "2006-09-27T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/200609-17", "cvelist": ["CVE-2006-4924"], "lastseen": "2016-09-06T19:46:00"}], "slackware": [{"id": "SSA-2006-272-02", "type": "slackware", "title": "openssh", "description": "New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,\n10.2, and -current to fix security issues.\n\nMore details about these issues may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5052\n\n\nHere are the details from the Slackware 10.2 ChangeLog:\n\npatches/packages/openssh-4.4p1-i486-1_slack10.2.tgz:\n Upgraded to openssh-4.4p1.\n This fixes a few security related issues. From the release notes found at\n http://www.openssh.com/txt/release-4.4:\n * Fix a pre-authentication denial of service found by Tavis Ormandy,\n that would cause sshd(8) to spin until the login grace time\n expired.\n * Fix an unsafe signal hander reported by Mark Dowd. The signal\n handler was vulnerable to a race condition that could be exploited\n to perform a pre-authentication denial of service. On portable\n OpenSSH, this vulnerability could theoretically lead to\n pre-authentication remote code execution if GSSAPI authentication\n is enabled, but the likelihood of successful exploitation appears\n remote.\n * On portable OpenSSH, fix a GSSAPI authentication abort that could\n be used to determine the validity of usernames on some platforms.\n Links to the CVE entries will be found here:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5052\n After this upgrade, make sure the permissions on /etc/rc.d/rc.sshd are set\n the way you want them. Future upgrades will respect the existing permissions\n settings. Thanks to Manuel Reimer for pointing out that upgrading openssh\n would enable a previously disabled sshd daemon.\n Do better checking of passwd, shadow, and group to avoid adding\n redundant entries to these files. Thanks to Menno Duursma.\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\nfrom ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 8.1:\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssh-4.4p1-i386-1_slack8.1.tgz\n\nUpdated package for Slackware 9.0:\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/openssh-4.4p1-i386-1_slack9.0.tgz\n\nUpdated package for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/openssh-4.4p1-i486-1_slack9.1.tgz\n\nUpdated package for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/openssh-4.4p1-i486-1_slack10.0.tgz\n\nUpdated package for Slackware 10.1:\nftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/openssh-4.4p1-i486-1_slack10.1.tgz\n\nUpdated package for Slackware 10.2:\nftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/openssh-4.4p1-i486-1_slack10.2.tgz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssh-4.4p1-i486-1.tgz\n\n\n\nMD5 signatures:\n\nSlackware 8.1 package:\n0a42fb286fd722f019dfc5f167d69ced openssh-4.4p1-i386-1_slack8.1.tgz\n\nSlackware 9.0 package:\n92563664845d902251d7b19254b3dda1 openssh-4.4p1-i386-1_slack9.0.tgz\n\nSlackware 9.1 package:\n5814a00eefa0b1e1fe7673862525788e openssh-4.4p1-i486-1_slack9.1.tgz\n\nSlackware 10.0 package:\n24ce8b2013b8759a173e5ccd7db54289 openssh-4.4p1-i486-1_slack10.0.tgz\n\nSlackware 10.1 package:\ne7950e6a357871092514ce07051f055e openssh-4.4p1-i486-1_slack10.1.tgz\n\nSlackware 10.2 package:\nb8d2d67276a662de40d6adf9bfe00bce openssh-4.4p1-i486-1_slack10.2.tgz\n\nSlackware -current package:\n6f2c30b503db9685180af6f4a87eadcc openssh-4.4p1-i486-1.tgz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg openssh-4.4p1-i486-1_slack10.2.tgz\n\nIf you are running an sshd daemon, restart it:\n\nsh /etc/rc.d/rc.sshd restart", "published": "2006-09-29T00:57:38", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.592566", "cvelist": ["CVE-2006-5052", "CVE-2006-5051", "CVE-2006-4924"], "lastseen": "2016-09-07T19:54:48"}], "suse": [{"id": "SUSE-SA:2006:062", "type": "suse", "title": "remote denial of service in openssh", "description": "Several security problems were fixed in OpenSSH 4.4 and the bug fixes were back ported to the openssh versions in our products.\n#### Solution\nThere is no known workaround, please install the update packages.", "published": "2006-10-20T14:30:36", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2006-10/msg00011.html", "cvelist": ["CVE-2006-5052", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-4924"], "lastseen": "2016-09-04T11:40:17"}], "debian": [{"id": "DSA-1638", "type": "debian", "title": "openssh -- denial of service", "description": "It has been discovered that the signal handler implementing the login timeout in Debian's version of the OpenSSH server uses functions which are not async-signal-safe, leading to a denial of service vulnerability ([CVE-2008-4109](<https://security-tracker.debian.org/tracker/CVE-2008-4109>)).\n\nThe problem was originally corrected in OpenSSH 4.4p1 ([CVE-2006-5051](<https://security-tracker.debian.org/tracker/CVE-2006-5051>)), but the patch backported to the version released with etch was incorrect.\n\nSystems affected by this issue suffer from lots of zombie sshd processes. Processes stuck with a \"[net]\" process title have also been observed. Over time, a sufficient number of processes may accumulate such that further login attempts are impossible. Presence of these processes does not indicate active exploitation of this vulnerability. It is possible to trigger this denial of service condition by accident.\n\nFor the stable distribution (etch), this problem has been fixed in version 4.3p2-9etch3.\n\nFor the unstable distribution (sid) and the testing distribution (lenny), this problem has been fixed in version 4.6p1-1.\n\nWe recommend that you upgrade your openssh packages.", "published": "2008-09-16T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-1638", "cvelist": ["CVE-2006-5051", "CVE-2008-4109"], "lastseen": "2016-09-02T18:22:07"}, {"id": "DSA-1189", "type": "debian", "title": "openssh-krb5 -- several vulnerabilities", "description": "Several remote vulnerabilities have been discovered in OpenSSH, a free implementation of the Secure Shell protocol, which may lead to denial of service and potentially the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:\n\n * [CVE-2006-4924](<https://security-tracker.debian.org/tracker/CVE-2006-4924>)\n\nTavis Ormandy of the Google Security Team discovered a denial of service vulnerability in the mitigation code against complexity attacks, which might lead to increased CPU consumption until a timeout is triggered. This is only exploitable if support for SSH protocol version 1 is enabled.\n\n * [CVE-2006-5051](<https://security-tracker.debian.org/tracker/CVE-2006-5051>)\n\nMark Dowd discovered that insecure signal handler usage could potentially lead to execution of arbitrary code through a double free. The Debian Security Team doesn't believe the general openssh package without Kerberos support to be exploitable by this issue. However, due to the complexity of the underlying code we will issue an update to rule out all eventualities.\n\nFor the stable distribution (sarge) these problems have been fixed in version 3.8.1p1-7sarge1.\n\nFor the unstable distribution (sid) these problems have been fixed in version 4.3p2-4 of openssh. openssh-krb5 will soon be converted towards a transitional package against openssh.\n\nWe recommend that you upgrade your openssh-krb5 packages.", "published": "2006-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-1189", "cvelist": ["CVE-2006-5051", "CVE-2006-4924"], "lastseen": "2016-09-02T18:20:04"}, {"id": "DSA-1212", "type": "debian", "title": "openssh -- Denial of service", "description": "Two denial of service problems have been found in the OpenSSH server. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities:\n\n * [CVE-2006-4924](<https://security-tracker.debian.org/tracker/CVE-2006-4924>)\n\nThe sshd support for ssh protocol version 1 does not properly handle duplicate incoming blocks. This could allow a remote attacker to cause sshd to consume significant CPU resources leading to a denial of service.\n\n * [CVE-2006-5051](<https://security-tracker.debian.org/tracker/CVE-2006-5051>)\n\nA signal handler race condition could potentially allow a remote attacker to crash sshd and could theoretically lead to the ability to execute arbitrary code.\n\nFor the stable distribution (sarge), these problems have been fixed in version 1:3.8.1p1-8.sarge.6.\n\nFor the unstable and testing distributions, these problems have been fixed in version 1:4.3p2-4.\n\nWe recommend that you upgrade your openssh package.", "published": "2006-11-15T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-1212", "cvelist": ["CVE-2006-5051", "CVE-2006-4924"], "lastseen": "2016-09-02T18:27:38"}], "ubuntu": [{"id": "USN-355-1", "type": "ubuntu", "title": "openssh vulnerabilities", "description": "Tavis Ormandy discovered that the SSH daemon did not properly handle \nauthentication packets with duplicated blocks. By sending specially \ncrafted packets, a remote attacker could exploit this to cause the ssh \ndaemon to drain all available CPU resources until the login grace time \nexpired. ([CVE-2006-4924](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2006-4924>))\n\nMark Dowd discovered a race condition in the server's signal handling. \nA remote attacker could exploit this to crash the server. \n([CVE-2006-5051](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2006-5051>))", "published": "2006-10-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/usn/usn-355-1/", "cvelist": ["CVE-2006-5051", "CVE-2006-4924"], "lastseen": "2017-08-09T19:12:03"}], "freebsd": [{"id": "32DB37A5-50C3-11DB-ACF3-000C6EC775D9", "type": "freebsd", "title": "openssh -- multiple vulnerabilities", "description": "\nProblem Description\nThe CRC compensation attack detector in the sshd(8) daemon,\n\t upon receipt of duplicate blocks, uses CPU time cubic in the\n\t number of duplicate blocks received.\t[CVE-2006-4924]\nA race condition exists in a signal handler used by the\n\t sshd(8) daemon to handle the LoginGraceTime option, which\n\t can potentially cause some cleanup routines to be executed\n\t multiple times. [CVE-2006-5051]\nImpact\nAn attacker sending specially crafted packets to sshd(8)\n\t can cause a Denial of Service by using 100% of CPU time\n\t until a connection timeout occurs. Since this attack can be\n\t performed over multiple connections simultaneously, it is\n\t possible to cause up to MaxStartups (10 by default) sshd\n\t processes to use all the CPU time they can obtain.\n\t [CVE-2006-4924]\nThe OpenSSH project believe that the race condition can\n\t lead to a Denial of Service or potentially remote code\n\t execution, but the FreeBSD Security Team has been unable to\n\t verify the exact impact. [CVE-2006-5051]\nWorkaround\nThe attack against the CRC compensation attack detector can\n\t be avoided by disabling SSH Protocol version 1 support in\n\t sshd_config(5).\nThere is no workaround for the second issue.\n", "published": "2006-09-25T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/32db37a5-50c3-11db-acf3-000c6ec775d9.html", "cvelist": ["CVE-2006-5051", "CVE-2006-4924"], "lastseen": "2016-09-26T17:25:05"}], "cert": [{"id": "VU:787448", "type": "cert", "title": "OpenSSH fails to properly handle multiple identical blocks in a SSH packet", "description": "### Overview\n\nOpenSSH fails to properly handle multiple identical blocks in a SSH packet. This vulnerability may cause a denial-of-service condition.\n\n### Description\n\nOpenSSH is an open source client and server implementation of the Secure Shell (SSH) protocol. OpenSSH includes a cyclic redundancy check (CRC) compensation attack detection function that produces a checksum on a block of data in a SSH packet. This function was introduced to defend against exploitation of CRC weaknesses in version 1 of the SSH protocol (see [VU#13877](<http://www.kb.cert.org/vuls/id/13877>)). Multiple identical blocks contained within a SSH packet may trigger a computationally expensive operation within the CRC attack detector that can lead to a denial of service. According to the OpenSSH 4.4 [release notes](<http://www.openssh.com/txt/release-4.4>): \n\n_[This vulnerability]...would cause sshd(8) to spin until the login grace time expired._\n\nThe OpenSSH sshd daemon is only vulnerable when SSH protocol version 1 is enabled. \n \n--- \n \n### Impact\n\nA remote, unauthenticated attacker could cause a denial-of service condition by sending specially crafted packets to the OpenSSH server that would cause it to use excessive CPU time until a connection timeout occurs. \n \n--- \n \n### Solution\n\n**Upgrade** \nSee the systems affected section of this document for information about specific vendors. Users who compile OpenSSH from source are encouraged to update to the most recent version. \n \n--- \n \n**Disable SSH version 1**\n\n \nSSH protocol version 1 should be disabled in order to prevent this vulnerability from occurring on affected systems. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nApple Computer, Inc.| | -| 13 Mar 2007 \nAvaya, Inc.| | -| 23 Oct 2006 \nDebian GNU/Linux| | -| 06 Oct 2006 \nFreeBSD, Inc.| | -| 04 Oct 2006 \nGentoo Linux| | -| 02 Oct 2006 \nHewlett-Packard Company| | -| 19 Jan 2007 \nMandriva, Inc.| | -| 06 Oct 2006 \nOpenBSD| | -| 10 Nov 2006 \nOpenPKG| | -| 04 Oct 2006 \nOpenSSH| | -| 02 Oct 2006 \nRed Hat, Inc.| | -| 02 Oct 2006 \nrPath| | -| 02 Oct 2006 \nSlackware Linux Inc.| | -| 02 Oct 2006 \nSUSE Linux| | -| 23 Oct 2006 \nTrustix Secure Linux| | -| 06 Oct 2006 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23787448 Vendor Status Inquiry>). \n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * [http://marc.theaimsgroup.com/?l=openssh-unix-dev&m;=115939141729160&w;=2 ](<http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=115939141729160&w=2 >)\n * <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207955>\n * <http://secunia.com/advisories/22091>\n * <http://www.securityfocus.com/bid/20216>\n * <http://www.openssh.com/txt/release-4.4>\n * <https://issues.rpath.com/browse/RPL-661>\n * [http://www.slackware.com/security/viewer.php?l=slackware-security&y;=2006&m;=slackware-security.592566](<http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.592566>)\n * <http://secunia.com/advisories/22208/>\n * <http://secunia.com/advisories/22236/>\n * <http://secunia.com/advisories/22183/>\n * <http://support.avaya.com/elmodocs2/security/ASA-2006-216.htm>\n * <http://secunia.com/advisories/22362/>\n * <http://secunia.com/advisories/22495/>\n * <http://secunia.com/advisories/23241/>\n * <http://docs.info.apple.com/article.html?artnum=305214>\n\n### Credit\n\nThis issue was reported in the OpenSSH [4.4 release notes](<http://www.openssh.com/txt/release-4.4>). OpenSSH credits Tavis Ormandy of the Google Security Team for reporting this issue.\n\nThis document was written by Chris Taschner.\n\n### Other Information\n\n * CVE IDs: [CVE-2006-4924](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4924>)\n * Date Public: 27 Sep 2006\n * Date First Published: 04 Oct 2006\n * Date Last Updated: 13 Mar 2007\n * Severity Metric: 8.82\n * Document Revision: 41\n\n", "published": "2006-10-04T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/787448", "cvelist": ["CVE-2006-4924", "CVE-2006-4924"], "lastseen": "2016-02-03T09:13:32"}], "exploitdb": [{"id": "EDB-ID:2444", "type": "exploitdb", "title": "OpenSSH <= 4.3 p1 Duplicated Block Remote Denial of Service Exploit", "description": "OpenSSH <= 4.3 p1 (Duplicated Block) Remote Denial of Service Exploit. CVE-2006-4924. Dos exploits for multiple platform", "published": "2006-09-27T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/2444/", "cvelist": ["CVE-2006-4924"], "lastseen": "2016-01-31T16:16:28"}], "seebug": [{"id": "SSV-64033", "type": "seebug", "title": "OpenSSH <= 4.3 p1 (Duplicated Block) Remote Denial of Service Exploit", "description": "Summary: \nOpenSSH is an open source SSH Protocol Implementation, the initial version for the OpenBSD platform, and has now been ported to numerous Unix/Linux-like operating system.< br/>The OpenSSH in the process ssh packets in a plurality of identical blocks denial of service vulnerability exists, if you enable ssh Protocol 1, then a remote attacker can send a specially crafted ssh packets to Deplete the CPU resources.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-64033", "cvelist": ["CVE-2006-4924"], "lastseen": "2016-07-27T01:49:24"}]}}