From $URL : A denial of service flaw was found in the way default server configuration of OpenSSH, a open source implementation of SSH protocol versions 1 and 2, performed management of its connection slot. A remote attacker could use this flaw to cause connection slot exhaustion on the server. References: [1] http://seclists.org/oss-sec/2012/q1/1 [2] http://www.openwall.com/lists/oss-security/2013/02/06/5 [3] http://www.openwall.com/lists/oss-security/2013/02/07/3 Relevant upstream patches: [4] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234 [5] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156 [6] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
the DoS can't be prevented, just [further] mitigated
CVE-2010-5107 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-5107): The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections.
Default values from MaxStartups is correct in current stable openssh in Gentoo(net-misc/openssh-6.6_p1-r1), so, i assume this is fixed. Added this to existing GLSA draft
This issue was resolved and addressed in GLSA 201405-06 at http://security.gentoo.org/glsa/glsa-201405-06.xml by GLSA coordinator Mikle Kolyada (Zlogene).
