GLSA 200609-17: OpenSSH: Denial of Service

Severity:normal
Title:OpenSSH: Denial of Service
Date:09/27/2006
Bugs: #148228
ID:200609-17

Synopsis

A flaw in the OpenSSH daemon allows remote unauthenticated attackers to cause a Denial of Service.

Background

OpenSSH is a free suite of applications for the SSH protocol, developed and maintained by the OpenBSD project.

Affected packages

Package Vulnerable Unaffected Architecture(s)
net-misc/openssh < 4.3_p2-r5 >= 4.3_p2-r5 All supported architectures

Description

Tavis Ormandy of the Google Security Team discovered a Denial of Service vulnerability in the SSH protocol version 1 CRC compensation attack detector.

Impact

A remote unauthenticated attacker may be able to trigger excessive CPU usage by sending a pathological SSH message, denying service to other legitimate users or processes.

Workaround

The system administrator may disable SSH protocol version 1 in /etc/ssh/sshd_config.

Resolution

All OpenSSH users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-misc/openssh-4.3_p2-r5"

References

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200609-17.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License

Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

Thank you!