Need Help to Fix CVE-2008-1483, CVE-2008-5161, CVE-2015-5600 and CVE-2015-6565

abhi dhiman abhi.dhiman83 at gmail.com
Mon Mar 14 18:04:37 AEDT 2016


Hi All,

I fount following text on internet.

5161:

Error handling in the SSH protocol in (1) SSH Tectia Client and Server and
Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8;
Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on
IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and
6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K;
and (2) OpenSSH
4.7p1 and possibly other versions, when using a block cipher algorithm
in Cipher
Block Chaining (CBC) mode, makes it easier for remote attackers to recover
certain plaintext data from an arbitrary block of ciphertext in an SSH
session via unknown vectors.



1483:

OpenSSH 4.3p2, and probably other versions, allows local users to hijack
forwarded X connections by causing ssh to set DISPLAY to :10, even when
another process is listening on the associated port, as demonstrated by
opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.




Are these vulnerabilities applicable on Openssh 6.2p version?

Do we need to patch these in 6.2p.


Regards

Abhishek




On Mon, Mar 14, 2016 at 12:31 PM, abhi dhiman <abhi.dhiman83 at gmail.com>
wrote:

> Hi All,
>
> Please direct me to the code changes for above vulnerabilities.
> We don't have a vendor but we use Openssh in our software. So can't
> upgrade it right now.
>
> Regards
> Abhishek
>
> On Tue, Mar 8, 2016 at 7:08 PM, Martin Hecht <hecht at hlrs.de> wrote:
>
>>
>> Was that ssh shipped with your OS distribution? If yes, it might already
>> be patched if you have installed the OS security patches. Check with
>> your OS vendor.
>>
>> On 03/08/2016 02:19 PM, abhi dhiman wrote:
>> > Hi Gert,
>> >
>> > Thanks for your reply.
>> >
>> > But we can't upgrade to 7.2 version also we don't have plan to upgrade
>> in
>> > near future. Can I fix these vulnerabilities in the current version?
>> >
>> > Regards
>> > Abhishek
>> >
>> > On Tue, Mar 8, 2016 at 6:42 PM, Gert Doering <gert at greenie.muc.de>
>> wrote:
>> >
>> >> Hi,
>> >>
>> >> On Tue, Mar 08, 2016 at 06:14:01PM +0530, abhi dhiman wrote:
>> >>> Actually I am working with the OpenSSH version 6.2p which is
>> vulnerable
>> >> to
>> >>> above mentioned vulnerabilities.
>> >>>
>> >>> So am looking for some help how I can fix these vulnerabilities in my
>> >>> version. I need to fix it in the OpenSSH code.
>> >> "Upgrade to 7.2"?
>> >>
>> >> gert
>> >> --
>> >> USENET is *not* the non-clickable part of WWW!
>> >>                                                            //
>> >> www.muc.de/~gert/
>> >> Gert Doering - Munich, Germany
>> >> gert at greenie.muc.de
>> >> fax: +49-89-35655025
>> >> gert at net.informatik.tu-muenchen.de
>> >>
>> >
>> >
>>
>>
>>
>
>
> --
> abhi~dhiman
>



-- 
abhi~dhiman


More information about the openssh-unix-dev mailing list