Login or Register to Ask a Question and Join Our Community


Security Advisories (RSS)

USN-649-1: OpenSSH vulnerabilities

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity Security Advisories (RSS) USN-649-1: OpenSSH vulnerabilities
# 1  
Old 10-01-2008
USN-649-1: OpenSSH vulnerabilities
Referenced CVEs:
CVE-2008-1657, CVE-2008-4109


Description:
===========================================================Ubuntu Security Notice USN-649-1 October 01, 2008openssh vulnerabilitiesCVE-2008-1657, CVE-2008-4109===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 7.04Ubuntu 7.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: openssh-server 1:4.2p1-7ubuntu3.5Ubuntu 7.04: openssh-server 1:4.3p2-8ubuntu1.5Ubuntu 7.10: openssh-server 1:4.6p1-5ubuntu0.6In general, a standard system upgrade is sufficient to effect thenecessary changes.Details follow:It was discovered that the ForceCommand directive could be bypassed.If a local user created a malicious ~/.ssh/rc file, they could executearbitrary commands as their user id. This only affected Ubuntu 7.10.(CVE-2008-1657)USN-355-1 fixed vulnerabilities in OpenSSH. It was discovered that thefixes for this issue were incomplete. A remote attacker could attemptmultiple logins, filling all available connection slots, leading to adenial of service. This only affected Ubuntu 6.06 and 7.04.(CVE-2008-4109)





More...
Login or Register to Ask a Question

Previous Thread | Next Thread
Login or Register to Ask a Question

LEARN ABOUT DEBIAN

ssh-argv0

SSH-ARGV0(1)						    BSD General Commands Manual 					      SSH-ARGV0(1)

NAME

     ssh-argv0 -- replaces the old ssh command-name as hostname handling

SYNOPSIS

     hostname | user@hostname [-l login_name] [command]

     hostname | user@hostname [-afgknqstvxACNTX1246] [-b bind_address] [-c cipher_spec] [-e escape_char] [-i identity_file] [-l login_name]
     [-m mac_spec] [-o option] [-p port] [-F configfile] [-L port:host:hostport] [-R port:host:hostport] [-D port] [command]

DESCRIPTION

     ssh-argv0 replaces the old ssh command-name as hostname handling.	If you link to this script with a hostname then executing the link is
     equivalent to having executed ssh with that hostname as an argument.  All other arguments are passed to ssh and will be processed normally.

OPTIONS

     See ssh(1).

FILES

     See ssh(1).

AUTHORS

     OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
     Theo de Raadt and Dug Song removed many bugs, re-added newer features and created OpenSSH.  Markus Friedl contributed the support for SSH
     protocol versions 1.5 and 2.0.  Jonathan Amery wrote this ssh-argv0 script and the associated documentation.

SEE ALSO

     ssh(1)

Debian Project							 September 7, 2001						    Debian Project