[CVE-2007-4752] ssh in OpenSSH before 4.7 does not properly handle...
Bug #162171 reported by
Stephan Rügamer
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Fix Released
|
Undecided
|
Colin Watson | ||
Dapper |
Fix Released
|
Low
|
Stephan Rügamer | ||
Edgy |
Fix Released
|
Low
|
Stephan Rügamer | ||
Feisty |
Fix Released
|
Low
|
Stephan Rügamer | ||
Gutsy |
Fix Released
|
Low
|
Stephan Rügamer |
Bug Description
Dear Colleagues,
According to CVE-2007-4752:
ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.
Please find attached some debdiffs.
Regards,
\sh
CVE References
Changed in openssh: | |
assignee: | nobody → shermann |
status: | New → In Progress |
Changed in openssh: | |
assignee: | nobody → shermann |
importance: | Undecided → Low |
status: | New → Fix Committed |
assignee: | nobody → shermann |
importance: | Undecided → Low |
status: | New → Fix Committed |
assignee: | nobody → shermann |
importance: | Undecided → Low |
status: | New → Fix Committed |
assignee: | nobody → shermann |
importance: | Undecided → Low |
status: | New → Fix Committed |
To post a comment you must log in.
Fixed in Hardy now; stable updates still remain (Kees acknowledged this bug on IRC).
openssh (1:4.7p1-1) unstable; urgency=low
* New upstream release (closes: #453367). 6/hmac- md5. ilure option is set. me(2), allowing hostbased authentication to work. doc/openssh- client. sshd_not_ to_be_run exists
- CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if
creation of an untrusted cookie fails; found and fixed by Jan Pechanec
(closes: #444738).
- sshd(8) in new installations defaults to SSH Protocol 2 only. Existing
installations are unchanged.
- The SSH channel window size has been increased, and both ssh(1)
sshd(8) now send window updates more aggressively. These improves
performance on high-BDP (Bandwidth Delay Product) networks.
- ssh(1) and sshd(8) now preserve MAC contexts between packets, which
saves 2 hash calls per packet and results in 12-16% speedup for
arcfour25
- A new MAC algorithm has been added, UMAC-64 (RFC4418) as
"<email address hidden>". UMAC-64 has been measured to be approximately
20% faster than HMAC-MD5.
- Failure to establish a ssh(1) TunnelForward is now treated as a fatal
error when the ExitOnForwardFa
- ssh(1) returns a sensible exit status if the control master goes away
without passing the full exit status.
- When using a ProxyCommand in ssh(1), set the outgoing hostname with
gethostna
- Make scp(1) skip FIFOs rather than hanging (closes: #246774).
- Encode non-printing characters in scp(1) filenames. These could cause
copies to be aborted with a "protocol error".
- Handle SIGINT in sshd(8) privilege separation child process to ensure
that wtmp and lastlog records are correctly updated.
- Report GSSAPI mechanism in errors, for libraries that support multiple
mechanisms.
- Improve documentation for ssh-add(1)'s -d option.
- Rearrange and tidy GSSAPI code, removing server-only code being linked
into the client.
- Delay execution of ssh(1)'s LocalCommand until after all forwardings
have been established.
- In scp(1), do not truncate non-regular files.
- Improve exit message from ControlMaster clients.
- Prevent sftp-server(8) from reading until it runs out of buffer space,
whereupon it would exit with a fatal error (closes: #365541).
- pam_end() was not being called if authentication failed
(closes: #405041).
- Manual page datestamps updated (closes: #433181).
* Install the OpenSSH FAQ in /usr/share/
- Includes documentation on copying files with colons using scp
(closes: #303453).
* Create /var/run/sshd on start even if /etc/ssh/
(closes: #453285).
* Fix "overriden" typo in ssh(1) (thanks, A. Costa; closes: #390699).
* Refactor debian/rules configure and make invocations to make development
easier.
* Remove the hideously old /etc/ssh/primes on upgrade (closes: #123013).
* Update moduli(5) to revision 1.11 from OpenBSD CVS.
* Document the non-default options we set as standard in ssh_config(5) and
sshd_config(5) (closes: #327886, #345...