CVE-2008-4109

NameCVE-2008-4109
DescriptionA certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 on sid and lenny; and on other distributions such as SUSE uses functions that are not async-signal-safe in the signal handler for login timeouts, which allows remote attackers to cause a denial of service (connection slot exhaustion) via multiple login attempts. NOTE: this issue exists because of an incorrect fix for CVE-2006-5051.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesCVE-2006-5051, DSA-1638-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssh (PTS)wheezy1:6.0p1-4+deb7u4fixed
wheezy (security)1:6.0p1-4+deb7u6fixed
jessie1:6.7p1-5+deb8u4fixed
jessie (security)1:6.7p1-5+deb8u3fixed
stretch1:7.4p1-10+deb9u2fixed
buster, sid1:7.6p1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensshsource(unstable)1:4.6p1-1low
opensshsourceetch1:4.3p2-9etch3mediumDSA-1638-1

Notes

The patch backported for CVE-2006-5051 was incorrect and did not
fully address the issue. The upstream fix in 4.4p1 was
right, and it the next unstable upload after that was 4.6p1.

Search for package or bug name: Reporting problems