In association with heise online

29 September 2006, 13:47

OpenSSH update removes vulnerabilities

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of OpenSSH have released version 4.4, closing three vulnerabilities in the process. The recently reported error in the implementation of SSHv1 is likely also included therein. Two of the vulnerabilities can be exploited for denial-of-service attacks, while the last makes it easier to guess valid user names.

Under certain circumstances, one of the holes could have allowed for the planting of code. According to the developer's advisory, this applies only to portable OpenSSH, which is the version of OpenBSD ported to all other Unix derivations. Authentication, via Generic Security Services Application Program Interface (GSSAPI), an interface for security services, must also be activated. The developers nevertheless estimate the chances of an attack successfully using this hole, as very low. OpenSSH 4.4 also introduces new functions and removes several non-security related errors.

Linux distributors are likely to provide updated packages in the near future.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit