Author: fw
Date: 2008-09-16 21:01:22 +0000 (Tue, 16 Sep 2008)
New Revision: 9834
Modified:
data/CVE/list
Log:
CVE-2008-4109: openssh
CVE-2006-5051: openssh, actually relevant
Modified: data/CVE/list
==================================================================---
data/CVE/list 2008-09-16 20:41:56 UTC (rev 9833)
+++ data/CVE/list 2008-09-16 21:01:22 UTC (rev 9834)
@@ -1,3 +1,9 @@
+CVE-2008-4109 [unsafe sigdie function called by signal handler]
+ {CVE-2006-5051}
+ - openssh 1:4.6p1-1 (low)
+ NOTE: The patch backported for CVE-2006-5051 was incorrect and did not
+ NOTE: fully address the issue. The upstream fix in 4.4p1 was
+ NOTE: right, and it the next unstable upload after that was 4.6p1.
CVE-2008-4100 [adns predictable transaction id''s and source port]
- adns <unfixed> (unimportant; bug #492698)
NOTE: adns is not supported in untrusted contexts, see BR
@@ -31220,7 +31226,7 @@
- openssh 1:4.6p1-1 (low)
CVE-2006-5051 (Signal handler race condition in OpenSSH before 4.4 allows
remote ...)
{DSA-1212 DSA-1189-1}
- - openssh 1:4.3p2-4 (unimportant)
+ - openssh 1:4.6p1-1 (low)
- openssh-krb5 <removed> (high)
NOTE: From my analysis only openssh with Kerberos support should be vulnerable
NOTE: However, we''ll fix openssh as well just to make sure