Re: [SECURITY] [DSA 1638-1] New openssh packages fix denial of service
* Florian Weimer:
> Debian-specific: no
> It has been discovered that the signal handler implementing the login
> timeout in Debian's version of the OpenSSH server uses functions which
> are not async-signal-safe, leading to a denial of service
> vulnerability (CVE-2008-4109).
>
> The problem was originally corrected in OpenSSH 4.4p1 (CVE-2006-5051),
> but the patch backported to the version released with etch was
> incorrect.
Regarding the apparent inconsistency: the incorrect patch was not just
used by Debian, but also by other distributions. The upstream fix was
correct, though, so some backported patches for CVE-2006-5051 are not
affected by CVE-2008-4109, hence the two CVE names.
The missing mipsel packages will be delivered as soon as they are
available.
Reply to: