In association with heise online

04 April 2008, 16:12

OpenSSH developers up the ante with version 5.0

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Only a few days after releasing OpenSSH 4.9, the developers have launched version 5.0 to resolve a vulnerability. In certain circumstances, the SSH daemon links TCP ports to a local IPv6 interface if all the ports at the IPv4 interface have already been allocated. According to a report, this could be exploited by users logged in with restricted privileges to spy on X11 forwarding sessions.

In their release notes, the developers apologise for releasing two new versions in such quick succession, saying that they only found out about the hole through a public CVE report. According to the notes, although the maintainers of Debian were originally informed about the hole in January they neglected to pass on the information.

However, the flaw was already added to Secunia's public database of vulnerabilities on March 26, and the CVE entry is dated March 24. It appears that this might have given the developers enough time to at least delay the release of version 4.9, which was scheduled for March 30, by a few days.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit