Fedora has issued an advisory on February 9: http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098692.html Patched packages uploaded for Mageia 2 and Cauldron. Patch checked into Mageia 1 SVN. Advisory: ======================== Updated openssh packages fix security vulnerability: A denial of service flaw was found in the way default server configuration of OpenSSH, a open source implementation of SSH protocol versions 1 and 2, performed management of its connection slot. A remote attacker could use this flaw to cause connection slot exhaustion on the server (CVE-2010-5107). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5107 http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098692.html ======================== Updated packages in core/updates_testing: ======================== openssh-5.9p1-5.1.mga2 openssh-clients-5.9p1-5.1.mga2 openssh-server-5.9p1-5.1.mga2 openssh-askpass-common-5.9p1-5.1.mga2 openssh-askpass-5.9p1-5.1.mga2 openssh-askpass-gnome-5.9p1-5.1.mga2 from openssh-5.9p1-5.1.mga2.src.rpm
not sure, but possible PoC? http://www.openwall.com/lists/oss-security/2013/02/06/5
CC: (none) => marc.lattemann
could not reproduce PoC: 'attacking' PC: [marc@Rechner Programme]$ ./a.out 192.168.0.119:22 1 [+] getting needed connection count... [+] attacking 192.168.0.119 port 22 with 10 connections [+] opening connection 10 [*] sleeping for 1 seconds... [+] closing connections and restarting [+] opening connection 10 [*] sleeping for 1 seconds... [+] closing connections and restarting [+] opening connection 10 [*] sleeping for 1 seconds... ^C log-file of openssh-server: Feb 13 22:24:35 MGA2_64 sshd[5037]: Did not receive identification string from 192.168.0.129 Feb 13 22:24:35 MGA2_64 sshd[5038]: Did not receive identification string from 192.168.0.129 Feb 13 22:24:35 MGA2_64 sshd[5034]: Did not receive identification string from 192.168.0.129 [..] not sure if (and how) I need to increase connection count?
The last argument is optional, but should be 120 generally (should match the LoginGraceTime setting in /etc/ssh/sshd_config in seconds).
OK,I will learn reading - after reading the poc again carefully: started ddos attack an try to connect with ssh with another console at same time. Before upgrade: [marc@Rechner Programme]$ ssh test@192.168.0.119 ssh_exchange_identification: Connection closed by remote host same error as described in poc. after upgrade: [marc@Rechner Programme]$ ssh test@192.168.0.119 Password: Last login: Wed Feb 13 23:15:09 2013 from 192.168.0.129 [test@MGA2_64 ~]$ so tested successfully. Will now test i568
Whiteboard: (none) => MGA2-64-OK
same result for i586: before update: [marc@Rechner Programme]$ ssh test@192.168.0.116 ssh_exchange_identification: Connection closed by remote host afer update: [marc@Rechner Programme]$ ssh test@192.168.0.116 test@192.168.0.116's password: Last login: Wed Feb 13 23:36:47 2013 from 192.168.0.129 [test@MGA2_32BIT ~] validating. Please see Description for Advisory and srcrpm Can someone from sysadmin team can push the packages to Core Updates? Thanks
Keywords: (none) => validated_updateCC: marc.lattemann => sysadmin-bugsWhiteboard: MGA2-64-OK => MGA2-64-OK, MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0052
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED