Linux Today: Linux News On Internet Time.

More on LinuxToday

Advisories, September 27, 2006

Sep 28, 2006, 03:45 (0 Talkback[s])

Gentoo Linux

Gentoo Linux Security Advisory GLSA 200609-17


Severity: Normal
Title: OpenSSH: Denial of Service
Date: September 27, 2006
Bugs: #148228
ID: 200609-17


A flaw in the OpenSSH daemon allows remote unauthenticated attackers to cause a Denial of Service.


OpenSSH is a free suite of applications for the SSH protocol, developed and maintained by the OpenBSD project.

Affected packages

     Package           /   Vulnerable   /                   Unaffected

  1  net-misc/openssh      < 4.3_p2-r5                    >= 4.3_p2-r5


Tavis Ormandy of the Google Security Team discovered a Denial of Service vulnerability in the SSH protocol version 1 CRC compensation attack detector.


A remote unauthenticated attacker may be able to trigger excessive CPU usage by sending a pathological SSH message, denying service to other legitimate users or processes.


The system administrator may disable SSH protocol version 1 in /etc/ssh/sshd_config.


All OpenSSH users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-misc/openssh-4.3_p2-r3"


[ 1 ] CVE-2006-4924



This GLSA and any updates to it are available for viewing at the Gentoo Security Website:



Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.


Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.


rPath Linux

rPath Security Advisory: 2006-0174-1
Published: 2006-09-27
Products: rPath Linux 1
Rating: Minor
Exposure Level Classification: Remote Deterministic Denial of Service
Updated Versions:




Previous versions of the openssh package are vulnerable to a remote denial of service attack that cause the server to consume CPU when presented with certain data. They also have a bug (not a vulnerability) that causes the client to crash harmlessly instead of exiting cleanly under some attacks; this is not a vulnerability but is also fixed in this update.