As per our policy, and in line with the security policy of most Linux
distributions, we do not update versions of software in stable releases
to fix security issues. We backport security fixes to the version
available when the stable release came out.

In the case of "OpenSSH X11 Hijacking Attack Vulnerability", AKA
CVE-2008-1483, the OpenSSH version in Hardy already contains a patch for
this issue, as seen in the changelog of version 4.7p1-5.

For "OpenSSH Plaintext Recovery Attack Against SSH Vulnerability", AKA
CVE-2008-5161, we have classified this as having a low security impact
since the upstream openssh project has deemed this issue "infeasible in
most circumstances". If this issue is a concern for you, you may
configure your ssh server to prefer the AES CTR mode ciphers, as they do
not contain this flaw. In order to do so, edit your server's sshd_config
file to contain the following line:

Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc

Due to the first issue being fixed already, and the second attack being
"infeasible", we are of the opinion that the current OpenSSH packages in
hardy correctly adhere to PCI-DSS compliance.


** CVE added: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1483

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5161

** Changed in: openssh (Ubuntu)
       Status: New => Invalid

-- 
Hardy OpenSSH version out-of-date - security risks
https://bugs.launchpad.net/bugs/651720
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Reply via email to