Debian update for OpenSSH denial of service bug
The OpenSSH package in the Debian 4.0 "Etch" Linux distribution has been found to still have a vulnerability which may lead to a deliberate or accidental denial of service. Debian has released an update to its OpenSSH packages to remedy the issue.
An error in the signal handler which manages the login timeout in Debian's version of OpenSSH server used functions which were not signal-safe. This would lead to an accumulation over time of zombie sshd processes which could eventually prevent users from logging in. Presence of zombie sshd processes does not indicate an attack; the problem can occur in normal use, leading to accidental locking out.
The error was previously patched in OpenSSH 4.4p1, but a mistake in the backporting of the patch for Debian Etch has meant the problem persists in the Debian distribution. Debian has made available version 4.3p2-9etch3 of the OpenSSH package which resolves the problem. The developers recommend upgrading to this version as soon as possible, especially if users have Internet facing ssh connectivity.
Users of Debian's unstable distribution (sid) and the test distribution (lenny) will find OpenSSH 4.6p1-1 has the issue already fixed.
- Debian Security Advisory DSA-1638-1, Debian advisory with links to OpenSSH updates