Is there a security ssh issue in ubuntu?

Asked by Daniel Stone on 2009-07-09

We have limited information about this exploit and the extent of it, but as far as we know, it affects only Linux boxes running OpenSSH compiled against OpenSSL, with the exception of OpenSSL version 1.0.x beta.

Is this resolved in any patches?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu openssh Edit question
Assignee:
No assignee Edit question
Last query:
2009-07-09
Last reply:
2009-07-10
Daniel Stone (danielstone) said : #1

The reason I say this is one of my hosts post this message and I notice that jaunty is on 5.1 and 0.98

Log it as a bug with as much information as you can get. If you are correct then this will need solving immediately.

Johan Van de Wauw (johanvdw) said : #3

There are indeed rumors about security problems in ssh. However nobody was able to verify them:
http://lwn.net/Articles/340483/

If you have more information, you should indeed submit more info - but at this time there is no reason to worry.

Daniel Stone (danielstone) said : #4

From what I can gather I can ask an answer my own question. This effects CentOS and only ver. 4.3 ssh. Yes this is a security issue. Many refer to it as 0day or Oday.
Here is a link to more info http://www.webhostingtalk.com/showthread.php?t=873301
As I know little of ssh I do heed a warning because my host(which is said to host 1.8 million domains) is changing their ssh.
can somone look into this...

Steven Danna (ssd7) said : #5

According to everything I have read, this has not been confirmed to be anything more than a hoax. That is not to say that such a exploit does not exist, but simply that I have not seen one reliable source that can confirm such an exploit.

Obviously the best way to stay secure is to ensure you are receiving all of the latest updates. If a security flaw is confirmed it will most certainly be reported here: http://www.ubuntu.com/usn

Can you help with this problem?

Provide an answer of your own, or ask Daniel Stone for more information if necessary.

To post a message you must log in.