All errata/sisyphus/ALT-PU-2016-2124-1
ALT-PU-2016-2124-1

Package update openssh in branch sisyphus

Version7.2p2-alt2
Task#171152
Published2016-10-20
Max severityHIGH
Severity:

Closed issues (6)

BDU:2016-02237
MEDIUM5.9

Уязвимость сетевого протокола ssh, связанная с раскрытием информации, позволяющая нарушителю получить доступ к конфиденциальным данным

Published: 2016-11-03Modified: 2024-11-28
CVSS 3.xMEDIUM 5.9
CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N
References
BDU:2016-02352
HIGH7.8

Уязвимость средства криптографической защиты OpenSSH, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2016-12-15Modified: 2021-03-23
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2022-07416
HIGH7.8

Уязвимость функции do_setup_env (session.c) службы sshd средства криптографической защиты OpenSSH, позволяющая нарушителю повысить свои привилегии

Published: 2022-12-24Modified: 2022-12-26
CVSS 3.xHIGH 7.8
CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0MEDIUM 6.5
CVSS:2.0/AV:L/AC:L/Au:M/C:C/I:C/A:C
References
CVE-2015-8325
HIGH7.8

The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable.

Published: 2016-05-01Modified: 2025-04-12
CVSS 2.0HIGH 7.2
CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS 3.xHIGH 7.8
CVSS:3.x/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
CVE-2016-6210
MEDIUM5.9

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.

Published: 2017-02-13Modified: 2025-04-20
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS 3.xMEDIUM 5.9
CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
References
CVE-2016-8858
HIGH7.5

The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue."

Published: 2016-12-09Modified: 2025-04-12
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References