Package : openssh
Vulnerability : remote
Problem type : unsafe signal handler
Debian-specific: no
CVE Id(s) : CVE-2008-4109
Debian Bug : 498678
It has been discovered that the signal handler implementing the login
timeout in Debian's version of the OpenSSH server uses functions which
are not async-signal-safe, leading to a denial of service
vulnerability (CVE-2008-4109).
The problem was originally corrected in OpenSSH 4.4p1 (CVE-2006-5051),
but the patch backported to the version released with etch was
incorrect.
Systems affected by this issue suffer from lots of zombie sshd
processes. Processes stuck with a "[net]" process title have also been observed. Over time, a sufficient number of processes may accumulate
such that further login attempts are impossible. Presence of these
processes does not indicate active exploitation of this vulnerability.
It is possible to trigger this denial of service condition by accident.
For the stable distribution (etch), this problem has been fixed in
version 4.3p2-9etch3.
For the unstable distribution (sid) and the testing distribution
(lenny), this problem has been fixed in version 4.6p1-1.
We recommend that you upgrade your openssh packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------