National Cyber-Alert System

Vulnerability Summary for CVE-2005-2798

Overview

sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

Vendor Statments (disclaimer)

Official Statement from Red Hat (11/20/2006)

This issue does not affect Red Hat Enterprise Linux 2.1 and 3. This flaw was fixed in Red Hat Enterprise Linux 4 via errata RHSA-2005:527: http://rhn.redhat.com/errata/RHSA-2005-527.html

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: SECUNIA

Name: 16686

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/16686

External Source: UBUNTU

Name: USN-209-1

Hyperlink:http://www.ubuntulinux.org/support/documentation/usn/usn-209-1

External Source: BID

Name: 14729

Hyperlink:http://www.securityfocus.com/bid/14729

External Source: HP

Name: HPSBUX02090

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/421411/100/0/threaded

External Source: REDHAT

Name: RHSA-2005:527

Hyperlink:http://www.redhat.com/support/errata/RHSA-2005-527.html

External Source: MLIST

Name: [openssh-unix-announce] 20050901 Announce: OpenSSH 4.2 released

Hyperlink:http://www.mindrot.org/pipermail/openssh-unix-announce/2005-September/000083.html

External Source: MANDRIVA

Name: MDKSA-2005:172

Hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2005:172

External Source: VUPEN

Name: ADV-2006-0144

Hyperlink:http://www.frsirt.com/english/advisories/2006/0144

External Source: SECUNIA

Name: 18406

Hyperlink:http://secunia.com/advisories/18406

External Source: SECUNIA

Name: 18010

Hyperlink:http://secunia.com/advisories/18010

External Source: SECUNIA

Name: 17245

Hyperlink:http://secunia.com/advisories/17245

External Source: SECUNIA

Name: 17077

Hyperlink:http://secunia.com/advisories/17077

External Source: SCO

Name: SCOSA-2005.53

Hyperlink:ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.53/SCOSA-2005.53.txt

External Source: XF

Name: hpux-secure-shell-dos(24064)

Hyperlink:http://xforce.iss.net/xforce/xfdb/24064

External Source: OSVDB

Name: 19141

Hyperlink:http://www.osvdb.org/19141

External Source: SECUNIA

Name: 18661

Hyperlink:http://support.avaya.com/elmodocs2/security/ASA-2006-033.htm

External Source: CONFIRM

Name: http://support.avaya.com/elmodocs2/security/ASA-2006-016.htm

Hyperlink:http://support.avaya.com/elmodocs2/security/ASA-2006-016.htm

External Source: SECTRACK

Name: 1014845

Hyperlink:http://securitytracker.com/id?1014845

External Source: SECUNIA

Name: 18717

Hyperlink:http://secunia.com/advisories/18717

External Source: SECUNIA

Name: 18507

Hyperlink:http://secunia.com/advisories/18507

External Source: SUSE

Name: SUSE-SR:2006:003

Hyperlink:http://lists.suse.com/archive/suse-security-announce/2006-Feb/0001.html

US Government Resource: oval:org.mitre.oval:def:1566

Name: oval:org.mitre.oval:def:1566

Type: Tool Signature

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1566

US Government Resource: oval:org.mitre.oval:def:1345

Name: oval:org.mitre.oval:def:1345

Type: Tool Signature

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1345