Re: [SECURITY] [DSA 1638-1] New openssh packages fix denial of service

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1638-1] New openssh packages fix denial of service
From: Florian Weimer <fw@deneb.enyo.de>
Date: Tue, 16 Sep 2008 22:46:04 +0200
Message-id: <[🔎] 87myi7vmyb.fsf@mid.deneb.enyo.de>
In-reply-to: <87y71rvn64.fsf@mid.deneb.enyo.de> (Florian Weimer's message of "Tue, 16 Sep 2008 22:41:23 +0200")
References: <87y71rvn64.fsf@mid.deneb.enyo.de>

* Florian Weimer:

> Debian-specific: no

> It has been discovered that the signal handler implementing the login
> timeout in Debian's version of the OpenSSH server uses functions which
> are not async-signal-safe, leading to a denial of service
> vulnerability (CVE-2008-4109).
>
> The problem was originally corrected in OpenSSH 4.4p1 (CVE-2006-5051),
> but the patch backported to the version released with etch was
> incorrect.

Regarding the apparent inconsistency: the incorrect patch was not just
used by Debian, but also by other distributions.  The upstream fix was
correct, though, so some backported patches for CVE-2006-5051 are not
affected by CVE-2008-4109, hence the two CVE names.

The missing mipsel packages will be delivered as soon as they are
available.

Reply to:

Prev by Date: Re: [SECURITY] [DSA 1637-1] New git-core packages fix buffer overflow
Next by Date: Re: [Yaird-devel] Bug#496500: yaird: fails to create initrd when running 2.6.24 etchnhalf kernel
Previous by thread: Re: [SECURITY] [DSA 1637-1] New git-core packages fix buffer overflow
Next by thread: Engedely keres
Index(es):
- Date
- Thread