Hardy OpenSSH version out-of-date - security risks
Bug #651720 reported by
SeanB
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| openssh (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
Hi,
Can you please upgrade OpenSSH for Hardy to 5.2 or above to assist in PCI-DSS Compliance. The following security risks exist for the currently available version 4.7
OpenSSH Plaintext Recovery Attack Against SSH Vulnerability
OpenSSH X11 Hijacking Attack Vulnerability
Thank you.
Revision history for this message
| Marc Deslauriers (mdeslaur) wrote | #1 |
| Changed in openssh (Ubuntu): | |
| status: | New → Invalid |
Revision history for this message
| SeanB (sean-brokenshire) wrote | #2 |
To post a comment you must log in.
As per our policy, and in line with the security policy of most Linux distributions, we do not update versions of software in stable releases to fix security issues. We backport security fixes to the version available when the stable release came out.
In the case of "OpenSSH X11 Hijacking Attack Vulnerability", AKA CVE-2008-1483, the OpenSSH version in Hardy already contains a patch for this issue, as seen in the changelog of version 4.7p1-5.
For "OpenSSH Plaintext Recovery Attack Against SSH Vulnerability", AKA CVE-2008-5161, we have classified this as having a low security impact since the upstream openssh project has deemed this issue "infeasible in most circumstances". If this issue is a concern for you, you may configure your ssh server to prefer the AES CTR mode ciphers, as they do not contain this flaw. In order to do so, edit your server's sshd_config file to contain the following line:
Ciphers aes128-
Due to the first issue being fixed already, and the second attack being "infeasible", we are of the opinion that the current OpenSSH packages in hardy correctly adhere to PCI-DSS compliance.