Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 419357 (CVE-2012-0814)

Summary: <net-misc/openssh-5.8_p1-r1 : information leak (CVE-2012-0814)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: base-system, robbat2
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A4 [glsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2012-06-02 14:22:36 UTC
CVE-2012-0814 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0814):
  The auth_parse_options function in auth-options.c in sshd in OpenSSH before
  5.7 provides debug messages containing authorized_keys command options,
  which allows remote authenticated users to obtain potentially sensitive
  information by reading these messages, as demonstrated by the shared user
  account required by Gitolite.  NOTE: this can cross privilege boundaries
  because a user account may intentionally have no shell or filesystem access,
  and therefore may have no supported way to read an authorized_keys file in
  its own home directory.


Please punt vulnerable versions.
Comment 1 SpanKY gentoo-dev 2012-06-02 17:52:28 UTC
openssh-5.9_p1-r4 is already stable
Comment 2 Agostino Sarubbo gentoo-dev 2012-06-02 21:46:10 UTC
(In reply to comment #1)
> openssh-5.9_p1-r4 is already stable

Is ok to remove from the tree all vulnerable version before 5.9_p1-r4?
Comment 3 SpanKY gentoo-dev 2012-06-04 16:25:33 UTC
we haven't generally bothered in the past.  i don't see why this would be any different.
Comment 4 Agostino Sarubbo gentoo-dev 2012-11-16 17:48:39 UTC
the cleanup has been done.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-05-11 13:56:37 UTC
This issue was resolved and addressed in
 GLSA 201405-06 at http://security.gentoo.org/glsa/glsa-201405-06.xml
by GLSA coordinator Mikle Kolyada (Zlogene).