Re: Need Help to Fix CVE-2008-1483, CVE-2008-5161, CVE-2015-5600 and CVE-2015-6565

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi All,

I fount following text on internet.

5161:

Error handling in the SSH protocol in (1) SSH Tectia Client and Server and
Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8;
Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on
IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and
6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K;
and (2) OpenSSH
4.7p1 and possibly other versions, when using a block cipher algorithm
in Cipher
Block Chaining (CBC) mode, makes it easier for remote attackers to recover
certain plaintext data from an arbitrary block of ciphertext in an SSH
session via unknown vectors.



1483:

OpenSSH 4.3p2, and probably other versions, allows local users to hijack
forwarded X connections by causing ssh to set DISPLAY to :10, even when
another process is listening on the associated port, as demonstrated by
opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.




Are these vulnerabilities applicable on Openssh 6.2p version?

Do we need to patch these in 6.2p.


Regards

Abhishek




On Mon, Mar 14, 2016 at 12:31 PM, abhi dhiman <abhi.dhiman83@xxxxxxxxx>
wrote:

> Hi All,
>
> Please direct me to the code changes for above vulnerabilities.
> We don't have a vendor but we use Openssh in our software. So can't
> upgrade it right now.
>
> Regards
> Abhishek
>
> On Tue, Mar 8, 2016 at 7:08 PM, Martin Hecht <hecht@xxxxxxx> wrote:
>
>>
>> Was that ssh shipped with your OS distribution? If yes, it might already
>> be patched if you have installed the OS security patches. Check with
>> your OS vendor.
>>
>> On 03/08/2016 02:19 PM, abhi dhiman wrote:
>> > Hi Gert,
>> >
>> > Thanks for your reply.
>> >
>> > But we can't upgrade to 7.2 version also we don't have plan to upgrade
>> in
>> > near future. Can I fix these vulnerabilities in the current version?
>> >
>> > Regards
>> > Abhishek
>> >
>> > On Tue, Mar 8, 2016 at 6:42 PM, Gert Doering <gert@xxxxxxxxxxxxxx>
>> wrote:
>> >
>> >> Hi,
>> >>
>> >> On Tue, Mar 08, 2016 at 06:14:01PM +0530, abhi dhiman wrote:
>> >>> Actually I am working with the OpenSSH version 6.2p which is
>> vulnerable
>> >> to
>> >>> above mentioned vulnerabilities.
>> >>>
>> >>> So am looking for some help how I can fix these vulnerabilities in my
>> >>> version. I need to fix it in the OpenSSH code.
>> >> "Upgrade to 7.2"?
>> >>
>> >> gert
>> >> --
>> >> USENET is *not* the non-clickable part of WWW!
>> >>                                                            //
>> >> www.muc.de/~gert/
>> >> Gert Doering - Munich, Germany
>> >> gert@xxxxxxxxxxxxxx
>> >> fax: +49-89-35655025
>> >> gert@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> >>
>> >
>> >
>>
>>
>>
>
>
> --
> abhi~dhiman
>



-- 
abhi~dhiman
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux