CVE-2011-0539
https://notcve.org/view.php?id=CVE-2011-0539
The key_certify function in usr.bin/ssh/key.c in OpenSSH 5.6 and 5.7, when generating legacy certificates using the -t command-line option in ssh-keygen, does not initialize the nonce field, which might allow remote attackers to obtain sensitive stack memory contents or make it easier to conduct hash collision attacks. La función key_certify en usr.bin/ssh/key.c en OpenSSH v5.6 y v5.7 al generar los certificados de herencia con la opción de línea de comandos -t en ssh-keygen, no se inicializa el campo nonce, que podría permitir a atacantes remotos obtener contenido sensible de la pila de memoria o que sea más fácil de llevar a cabo ataques de colisión hash. • http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02794777 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673 http://secunia.com/advisories/43181 http://secunia.com/advisories/44269 http://www.openssh.com/txt/legacy-cert.adv http://www.openwall.com/lists/oss-security/2011/02/04/2 http://www.securityfocus.com/bid/46155 http://www.securitytracker.com/id?1025028 http://www.vupen.com/english/advisories/2011/0284 https://exchange.xforce.ibmcloud. • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2010-4478
https://notcve.org/view.php?id=CVE-2010-4478
OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252. OpenSSH v5.6 y versiones anteriores, si J-PAKE está activo, no valida apropiadamente los parámetros públicos en el protocolo J-PAKE, lo que permite a atacantes remotos evitar la necesidad de conocer el secreto compartido, y autenticarse con éxito, enviando valores modificados en cada turno del protocolo. Relacionado con CVE-2010-4252. • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673 http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/jpake.c#rev1.5 http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/jpake.c.diff?r1=1.4%3Br2=1.5%3Bf=h https://bugzilla.redhat.com/show_bug.cgi?id=659297 https://github.com/seb-m/jpake https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12338 • CWE-287: Improper Authentication •
CVE-2009-2904 – openssh: possible privilege escalation when using ChrootDirectory setting
https://notcve.org/view.php?id=CVE-2009-2904
A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership. Ciertas modificaciones Ret Hat en ChrootDirectory feature en OpenSSH v4.8, como el usado en sshd en OpenSSH v4.3 en Red Hat Enterprise Linux (RHEL) v5.4 y Fedora v11, permite a usuarios locales obtener privilegios a través de enlaces fuertes en programas setuid que usa una configuración de ficheros con el chroot directory, relacionado con requerimientos para el propietario. • http://lists.fedoraproject.org/pipermail/package-announce/2010-March/038214.html http://lists.vmware.com/pipermail/security-announce/2010/000082.html http://osvdb.org/58495 http://secunia.com/advisories/38794 http://secunia.com/advisories/38834 http://secunia.com/advisories/39182 http://www.securityfocus.com/bid/36552 http://www.vupen.com/english/advisories/2010/0528 https://bugzilla.redhat.com/show_bug.cgi?id=522141 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg • CWE-16: Configuration •
CVE-2008-5161 – OpenSSH: Plaintext Recovery Attack against CBC ciphers
https://notcve.org/view.php?id=CVE-2008-5161
Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors. Error en el manejo del protocolo SSH en (1) SSH Tectia Client y Server y Connector 4v.0 a la v4.4.11, v5.0 a la v5.2.4, y v5.3 a la v5.3.8; Client y Server y ConnectSecure v6.0 a la v6.0.4; Server para Linux sobre IBM System z v6.0.4; Server para IBM z/OS v5.5.1 y anteriores, v6.0.0, y v6.0.1; y Client v4.0-J a la v4.3.3-J y v4.0-K a la v4.3.10-K; y (2) OpenSSH v4.7p1 y posiblemente otras versiones, cuando usan un algoritmo de bloque cifrado en el modo Cipher Block Chaining (CBC), facilita a los atacantes remotos el conseguir cierta información en texto plano desde cualquier bloque de texto cifrado de su elección en una sessión SSH mediante vectores de ataque desconocidos. • http://isc.sans.org/diary.html?storyid=5366 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html http://marc.info/?l=bugtraq&m=125017764422557&w=2 http://openssh.org/txt/cbc.adv http://osvdb.org/49872 http://osvdb.org/50035 http://osvdb.org/50036 http://rhn.redhat.com/errata/RHSA-2009-1287.html http://secunia.com/advisories/32740 http://secunia.com/advisories/32760 http:/ • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2008-4109
https://notcve.org/view.php?id=CVE-2008-4109
A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 on sid and lenny; and on other distributions such as SUSE uses functions that are not async-signal-safe in the signal handler for login timeouts, which allows remote attackers to cause a denial of service (connection slot exhaustion) via multiple login attempts. NOTE: this issue exists because of an incorrect fix for CVE-2006-5051. Cierto parche de Debian para OpenSSH en versiones anteriores a 4.3p2-9etch3 en etch, y versiones anteriores a 4.6p1-1 en sid y lenny, que utiliza funciones que no son señales asíncronas seguras (async-signal-safe) en el gestor de señales para los tiempos de autentificado, el cual permite a los atacantes remotos causar una denegación de servicio (agotamiento de la ranura de conexión) a través de múltiples intentos de autenticación. NOTA: esto existe por una incorrecta solución de CVE-2006-5051. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498678 http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html http://secunia.com/advisories/31885 http://secunia.com/advisories/32080 http://secunia.com/advisories/32181 http://www.debian.org/security/2008/dsa-1638 http://www.openwall.com/lists/oss-security/2024/07/01/3 http://www.securitytracker.com/id?1020891 http://www.ubuntu.com/usn/usn-649-1 https://exchange.xforce.ibmcloud.com/vulnerabilities/4520 • CWE-264: Permissions, Privileges, and Access Controls •