CVE-2006-4925 - Affected OpenSSH Versions
Damien Miller
djm at mindrot.org
Tue Dec 18 09:39:31 EST 2012
On Mon, 17 Dec 2012, David Aaron wrote:
> Thank you for the previous information.
>
> However,
> http://www.securityfocus.com/archive/1/archive/1/447153/100/0/threaded,
> which is associated with CVE-2006-4925, explains the following:
>
> "Previous versions of the openssh package are vulnerable to a
> remote denial of service attack that cause the server to consume
> CPU when presented with certain data. They also have a bug (not
> a vulnerability) that causes the client to crash harmlessly
> instead of exiting cleanly under some attacks; this is not a
> vulnerability but is also fixed in this update."
>
> As such it would appear that there is a client side issue, as has been
> suggested, but also that there is a server side DoS issue as well. The
> server side DoS is the vulnerability of interest here.
The server DoS is:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4924
This is actually mentioned in the securityfocus discussion you referred to.
More information about the openssh-unix-dev
mailing list