CVE-2010-5107
Published: 7 March 2013
The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections.
Notes
| Author | Note |
|---|---|
| jdstrand | this is a long-standing problem with any server that limits connections. This requires conffile changes. |
| mdeslaur | Upstream has changed the default MaxStartups to 10:30:100 to mitigate this issue. Sysadmins can change the equivalent config locally. we will not be fixing this issue in Ubuntu 12.04 LTS, in environments where this is a concern, we suggest settings the MaxStartups value to 10:30:100 in the sshd_config file |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
openssh Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
| lucid |
Ignored
(end of life)
|
|
| oneiric |
Ignored
(end of life)
|
|
| precise |
Ignored
|
|
| quantal |
Ignored
(end of life)
|
|
| raring |
Not vulnerable
(1:6.1p1-3)
|
|
| saucy |
Not vulnerable
(1:6.1p1-3)
|
|
| trusty |
Not vulnerable
(1:6.1p1-3)
|
|
| upstream |
Released
(1:6.0p1-4)
|
|
| utopic |
Not vulnerable
(1:6.1p1-3)
|
|
| vivid |
Not vulnerable
(1:6.1p1-3)
|
|
| wily |
Not vulnerable
(1:6.1p1-3)
|
|
| xenial |
Not vulnerable
(1:6.1p1-3)
|
|
|
Patches: upstream: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234 upstream: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156 upstream: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89 |
||