Hardy OpenSSH version out-of-date - security risks

Bug #651720 reported by SeanB on 2010-09-30
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Undecided
Unassigned

Bug Description

Hi,

Can you please upgrade OpenSSH for Hardy to 5.2 or above to assist in PCI-DSS Compliance. The following security risks exist for the currently available version 4.7

OpenSSH Plaintext Recovery Attack Against SSH Vulnerability

OpenSSH X11 Hijacking Attack Vulnerability

Thank you.

CVE References

Marc Deslauriers (mdeslaur) wrote :

As per our policy, and in line with the security policy of most Linux distributions, we do not update versions of software in stable releases to fix security issues. We backport security fixes to the version available when the stable release came out.

In the case of "OpenSSH X11 Hijacking Attack Vulnerability", AKA CVE-2008-1483, the OpenSSH version in Hardy already contains a patch for this issue, as seen in the changelog of version 4.7p1-5.

For "OpenSSH Plaintext Recovery Attack Against SSH Vulnerability", AKA CVE-2008-5161, we have classified this as having a low security impact since the upstream openssh project has deemed this issue "infeasible in most circumstances". If this issue is a concern for you, you may configure your ssh server to prefer the AES CTR mode ciphers, as they do not contain this flaw. In order to do so, edit your server's sshd_config file to contain the following line:

Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc

Due to the first issue being fixed already, and the second attack being "infeasible", we are of the opinion that the current OpenSSH packages in hardy correctly adhere to PCI-DSS compliance.

Changed in openssh (Ubuntu):
status: New → Invalid
SeanB (sean-brokenshire) wrote :

Thank you for the explanation.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related questions