[ubuntu-hardened] OpenVAS Vulnerability on Ubuntu Linux Server 8.04

Kaushal Shriyan kaushalshriyan at gmail.com
Tue Nov 16 17:06:39 UTC 2010 

On Tue, Nov 16, 2010 at 10:21 PM, Robert Bowman <rhbowman at gmail.com> wrote:
> You need to update by "sudo apt-get update && sudo apt-get -y upgrade" out
> of that package.
>
> On Tue, Nov 16, 2010 at 11:47 AM, Kaushal Shriyan <kaushalshriyan at gmail.com>
> wrote:
>>
>> Hi
>> This bug was fixed in the package openssh - 1:5.2p1-1ubuntu1 as
>> per https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/379329
>> is it available in Hardy 8.04 ?
>> Thanks
>> Kaushal
>>
>> Forwarded conversation
>> Subject: OpenVAS Vulnerability on Ubuntu Linux Server 8.04
>> ------------------------
>>
>> From: Kaushal Shriyan <kaushalshriyan at gmail.com>
>> Date: Tue, Nov 16, 2010 at 6:50 PM
>> To: ubuntu-hardened at lists.ubuntu.com
>>
>>
>> Hi,
>>
>> Can someone please suggest/guide me about the below vulnerability. I
>> have ran OpenVAS Scanner and it reports that vulnerability. The
>> affected server is Ubuntu 8.04.
>>
>> Medium
>> OpenSSH CBC Mode Information Disclosure Vulnerability
>> Risk: Medium
>> Application: ssh
>> Port: 22
>> Protocol: tcp
>> ScriptID: 100153
>> Overview: The host is installed with OpenSSH and is prone to information
>> disclosure vulnerability.
>> Vulnerability Insight:
>> The flaw is caused due to the improper handling of errors within an SSH
>> session
>> encrypted with a block cipher algorithm in the Cipher-Block Chaining 'CBC'
>> mode.
>> Impact:
>> Successful exploits will allow attackers to obtain four bytes of plaintext
>> from
>> an encrypted session.
>> Impact Level: Application
>> Affected Software/OS:
>> Versions prior to OpenSSH 5.2 are vulnerable. Various versions of SSH
>> Tectia
>> are also affected.
>> Fix: Upgrade to higher version
>> http://www.openssh.com/portable.html
>> References:
>> http://www.securityfocus.com/bid/32319
>> CVE : CVE-2008-5161
>> BID : 32319
>>
>> Thanks and Regards
>>
>> Kaushal
>>
>> ----------
>> From: Jeff Schroeder <jeffschroeder at computer.org>
>> Date: Tue, Nov 16, 2010 at 6:53 PM
>> To: Ubuntu security discussion <ubuntu-hardened at lists.ubuntu.com>
>>
>>
>> https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/379329
>>
>>
>>
>> --
>> Jeff Schroeder
>>
>> Don't drink and derive, alcohol and analysis don't mix.
>> http://www.digitalprognosis.com
>>
>> --
>> ubuntu-hardened mailing list
>> ubuntu-hardened at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>>
>>
>>
>> --
>> ubuntu-server mailing list
>> ubuntu-server at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
>> More info: https://wiki.ubuntu.com/ServerTeam
>
>
>
> --
> _________________________
> ROBERT BOWMAN
> P. 317-426-7313
> E. rhbowman at gmail.com
>
>
Hi Robert,

when i do  apt-get -y upgrade, i dont see openssh-server package :/

#apt-get -y upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages have been kept back:
  linux-generic linux-image-generic linux-restricted-modules-generic
The following packages will be upgraded:
  acpid bind9-host bzip2 dnsutils dpkg dpkg-dev fastjar fuse-utils
gzip krb5-clients krb5-user language-pack-en language-pack-en-base
language-pack-gnome-en
  language-pack-gnome-en-base libbind9-30 libbz2-1.0 libc6 libc6-dev
libc6-i386 libcupsys2 libdns36 libexpat1 libfreetype6 libfuse2
libisc35 libisccc30 libisccfg30 libkadm55
  libkrb53 libldap-2.4-2 liblwres30 libmysqlclient15off libnss-db
libpam-smbpass libpng12-0 libpq5 libssl-dev libssl0.9.8 libthai-data
libthai0 libtiff4 libwww-perl libxml2
  linux-libc-dev linux-restricted-modules-common lvm2 mysql-client-5.0
mysql-common nscd openssl python2.5 python2.5-minimal samba-common
smbclient sudo w3m wget
58 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
Need to get 50.0MB of archives.
After this operation, 2073kB of additional disk space will be used.

 dpkg -l '*openssh*'
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name                                   Version
           Description
+++-======================================-======================================-============================================================================================
ii  openssh-blacklist                      0.1-1ubuntu0.8.04.1
           list of blacklisted OpenSSH RSA and DSA keys
ii  openssh-client                         1:4.7p1-8ubuntu1.2
           secure shell client, an rlogin/rsh/rcp replacement
ii  openssh-server                         1:4.7p1-8ubuntu1.2
           secure shell server, an rshd replacement
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 8.04
Release:        8.04
Codename:       hardy
#

Thanks and Regards

Kaushal

More information about the ubuntu-server mailing list