CVE-2009-2904 - not patched F11 openssh?

Michał Piotrowski mkkp4x4 at gmail.com
Sat Mar 27 20:17:13 UTC 2010


2010/3/27 Steve Grubb <sgrubb at redhat.com>:
> On Saturday 27 March 2010 09:17:55 am Steve Grubb wrote:
>> On Friday 26 March 2010 07:25:53 pm Michał Piotrowski wrote:
>> > Vulnerability described in CVE-2009-2904
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904 was
>> > addressed in https://rhn.redhat.com/errata/RHSA-2009-1470.html for
>> > RHEL. Isn't F11 openssh version also vulnerable?
>>
>> RHEL5 uses version 4.3. The CVE was caused by a flaw in a patch that
>> backported a feature from 4.8 to 4.3. Fedora 11 is on 5.2, so it should
>> not be vulnerable.
>
> More research...looks like this took care of it:
>
> * Mon Sep 21 2009 Jan F. Chadima <jchadima at redhat.com> - 5.2p1-6
> - remove homechroot patch
>
> So if you are on 5.2p1-6, you should be OK.
>

This upgrade should be pushed to updates-testing and updates

yum --enablerepo=updates-testing upgrade openssh
[..]
 openssh              x86_64      5.2p1-5.fc11       updates-testing      265 k

Regards,
Michal


More information about the devel mailing list