Opened 17 years ago

Closed 17 years ago

#2188 closed defect (fixed)

OpenSSH-4.5p1 / Security fixes

Reported by: dnicholson@… Owned by: bdubbs@…
Priority: high Milestone: 6.2.0
Component: BOOK Version: SVN
Severity: critical Keywords:
Cc:

Description (last modified by bdubbs@…)

OpenSSH 4.4p1 has been released. It fixes three security issues as well as adding some features.

http://www.openssh.com/txt/release-4.4

Now OpenSSH 4.5p1 with some additional security fixes

http://www.openssh.com/txt/release-4.5

Change History (5)

comment:1 by Randy McMurchy, 17 years ago

Severity: normalcritical

I'm thinking the most prudent thing to do is update this package. The vulnerabilities need to be addressed. If someone is already using this version without issues, I can update the BLFS book easy enough.

Otherwise, let's hope that someone can update to this version and test things out a bit. To me, simply starting the daemon and connecting from another host and then using the client to connect to a remote daemon should be enough.

I suppose the only concern would be to ensure that this new version is backward compatible with previous versions (though I can't imagine that it is not).

comment:2 by alexander@…, 17 years ago

The SVN version of the LiveCD has this package. Basic testcases such as "connect to another host", "start a server and let the user log in using a password", "forward a local port", "get a warning on host key change" pass. However, I don't think that testing by two people in VMware is sufficient to let the package in.

Please test at least the following before letting the package in:

  • syslogging of failed connections with/without PAM, with password and/or public key
  • remote and dynamic port forwarding
  • X forwarding
  • restrictions on public keys in .authorized_keys file

comment:3 by dnicholson@…, 17 years ago

It's working fine so far for me, but I don't do anything special with it. I've tested with PAM for failed logins w/ password & public keys. I've tested X forwarding over PAM. So far, everything's fine. I'm not too good with port forwarding, so it'd be better if someone else checked this out.

comment:4 by bdubbs@…, 17 years ago

Description: modified (diff)
Owner: changed from blfs-book@… to bdubbs@…
Status: newassigned
Summary: OpenSSH-4.4p1 / Security fixesOpenSSH-4.5p1 / Security fixes

comment:5 by bdubbs@…, 17 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 6385.

Note: See TracTickets for help on using tickets.