Release date:
Updated on: 2011-09-09
Affected Systems:
OpenSSH 2.x
Unaffected system:
OpenSSH 2.9 p2
Description:
--------------------------------------------------------------------------------
Bugtraq id: 49473
Cve id: CVE-2001-0572
OpenSSH replaces telnet, ftp, rlogin, rsh, and rcp with secure and encrypted network connection tools.
OpenSSH has the information leakage vulnerability in the implementation of encrypted sockets. Remote attackers can exploit this vulnerability to obtain sensitive information.
In an interactive SSH Session, the user's keyboard output can cause the SSH client to send an IP packet to the SSH server. The remote server returns the entered characters to the user, the SSH server sends IP packets to the SSH client. This action can form an identifiable mode in the message data to leak user activity information.
<* Source: Solar Designer (solar@openwall.com)
Link: http://www.kb.cert.org/vuls/id/596827
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
OpenSSH
-------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.openssh.com/