Debian OpenSSH vulnerabilities

CVE-2013-4548 [MEDIUM] CVE-2013-4548: openssh - The mm_newkeys_from_blob function in monitor_wrap.c in sshd in OpenSSH 6.2 and 6... The mm_newkeys_from_blob function in monitor_wrap.c in sshd in OpenSSH 6.2 and 6.3, when an AES-GCM cipher is used, does not properly initialize memory for a MAC context data structure, which allows remote authenticated users to bypass intended ForceCommand and login-shell restrictions via packet data that provides a crafted callback address. Scope: local bookworm:

CVE-2012-0814 [LOW] CVE-2012-0814: openssh - The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 ... The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by the shared user account required by Gitolite. NOTE: this can cross privilege boundaries becau

CVE-2011-0539 [MEDIUM] CVE-2011-0539: openssh - The key_certify function in usr.bin/ssh/key.c in OpenSSH 5.6 and 5.7, when gener... The key_certify function in usr.bin/ssh/key.c in OpenSSH 5.6 and 5.7, when generating legacy certificates using the -t command-line option in ssh-keygen, does not initialize the nonce field, which might allow remote attackers to obtain sensitive stack memory contents or make it easier to conduct hash collision attacks. Scope: local bookworm: resolved (fixed in 1:5.8

CVE-2011-5000 [LOW] CVE-2011-5000: openssh - The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and earlier, wh... The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and earlier, when gssapi-with-mic authentication is enabled, allows remote authenticated users to cause a denial of service (memory consumption) via a large value in a certain length field. NOTE: there may be limited scenarios in which this issue is relevant. Scope: local bookworm: resolved (fixed in 1:5.

CVE-2011-4327 [LOW] CVE-2011-4327: openssh - ssh-keysign.c in ssh-keysign in OpenSSH before 5.8p2 on certain platforms execut... ssh-keysign.c in ssh-keysign in OpenSSH before 5.8p2 on certain platforms executes ssh-rand-helper with unintended open file descriptors, which allows local users to obtain sensitive key information via the ptrace system call. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2010-4478 [HIGH] CVE-2010-4478: openssh - OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the ... OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252. Scope: local bookworm: resolved bullseye:

CVE-2010-5107 [MEDIUM] CVE-2010-5107: openssh - The default configuration of OpenSSH through 6.1 enforces a fixed time limit bet... The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. Scope: local bookworm: resolved (fixed in 1:6.0p1-4) bullseye: resolved (fixed

CVE-2009-2904 [MEDIUM] CVE-2009-2904: openssh - A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as... A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership. Scope: local bookworm: res

CVE-2008-0166 [HIGH] CVE-2008-0166: openssh - OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating system... OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys. Scope: local bookworm: resolved (fixed in 4.7p1-9) bullseye: resolved (fixed in 4.7p1-9) forky: resolved (fixe

CVE-2008-2285 [HIGH] CVE-2008-2285: openssh - The ssh-vulnkey tool on Ubuntu Linux 7.04, 7.10, and 8.04 LTS does not recognize... The ssh-vulnkey tool on Ubuntu Linux 7.04, 7.10, and 8.04 LTS does not recognize authorized_keys lines that contain options, which makes it easier for remote attackers to exploit CVE-2008-0166 by guessing a key that was not identified by this tool. Scope: local bookworm: resolved (fixed in 1:4.7p1-10) bullseye: resolved (fixed in 1:4.7p1-10) forky: resolved (fixed in

CVE-2008-1483 [MEDIUM] CVE-2008-1483: openssh - OpenSSH 4.3p2, and probably other versions, allows local users to hijack forward... OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs. Scope: local bookworm: resolved (fixed in 1:4.7p1-5) bullseye: resolved (fixed in 1:4

CVE-2008-4109 [HIGH] CVE-2008-4109: openssh - A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 o... A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 on sid and lenny; and on other distributions such as SUSE uses functions that are not async-signal-safe in the signal handler for login timeouts, which allows remote attackers to cause a denial of service (connection slot exhaustion) via multiple login attempts. NOTE: this issue exists beca

CVE-2008-1657 [MEDIUM] CVE-2008-1657: openssh - OpenSSH 4.4 up to versions before 4.9 allows remote authenticated users to bypas... OpenSSH 4.4 up to versions before 4.9 allows remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc session file. Scope: local bookworm: resolved (fixed in 1:4.7p1-8) bullseye: resolved (fixed in 1:4.7p1-8) forky: resolved (fixed in 1:4.7p1-8) sid: resolved (fixed in 1:4.7p1-8) trixie: resolved (fixed in 1:4.7p1-8)

CVE-2008-3259 [LOW] CVE-2008-3259: openssh - OpenSSH before 5.1 sets the SO_REUSEADDR socket option when the X11UseLocalhost ... OpenSSH before 5.1 sets the SO_REUSEADDR socket option when the X11UseLocalhost configuration setting is disabled, which allows local users on some platforms to hijack the X11 forwarding port via a bind to a single IP address, as demonstrated on the HP-UX platform. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2008-3234 [MEDIUM] CVE-2008-3234: openssh - sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows... sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username. Scope: local bookworm: open bullseye: open forky: open sid: open trixie: open

CVE-2008-5161 [LOW] CVE-2008-5161: openssh - Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Conne... Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) Ope

CVE-2007-2768 [MEDIUM] CVE-2007-2768: openssh - OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remo... OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243. Scope: local bookworm: open bullseye: open forky: open sid: open trixie: o

CVE-2007-4752 [HIGH] CVE-2007-4752: openssh - ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cann... ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted. Scope: local bookworm: resolved (fixed in 1:4.7p1-1) bullseye: resolved (fixed in 1:4.7p1-1) forky: resolved (fixed in

CVE-2007-3102 [MEDIUM] CVE-2007-3102: openssh - Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.... Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information. Scope: local bookworm: resolved bullseye: resolved forky: resolve

CVE-2007-2243 [MEDIUM] CVE-2007-2243: openssh - OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows... OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483. Scope: local bookworm: open bullseye: open forky: open sid: open trixie: open