CVE-2010-5107
Published: 7 March 2013
The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections.
Notes
Author | Note |
---|---|
jdstrand | this is a long-standing problem with any server that limits connections. This requires conffile changes. |
mdeslaur | Upstream has changed the default MaxStartups to 10:30:100 to mitigate this issue. Sysadmins can change the equivalent config locally. we will not be fixing this issue in Ubuntu 12.04 LTS, in environments where this is a concern, we suggest settings the MaxStartups value to 10:30:100 in the sshd_config file |
Priority
Status
Package | Release | Status |
---|---|---|
openssh Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Ignored
(end of life)
|
|
oneiric |
Ignored
(end of life)
|
|
precise |
Ignored
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Not vulnerable
(1:6.1p1-3)
|
|
saucy |
Not vulnerable
(1:6.1p1-3)
|
|
trusty |
Not vulnerable
(1:6.1p1-3)
|
|
upstream |
Released
(1:6.0p1-4)
|
|
utopic |
Not vulnerable
(1:6.1p1-3)
|
|
vivid |
Not vulnerable
(1:6.1p1-3)
|
|
wily |
Not vulnerable
(1:6.1p1-3)
|
|
xenial |
Not vulnerable
(1:6.1p1-3)
|
|
Patches: upstream: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234 upstream: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156 upstream: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89 |