CVE-2008-4109

NameCVE-2008-4109
DescriptionA certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 on sid and lenny; and on other distributions such as SUSE uses functions that are not async-signal-safe in the signal handler for login timeouts, which allows remote attackers to cause a denial of service (connection slot exhaustion) via multiple login attempts. NOTE: this issue exists because of an incorrect fix for CVE-2006-5051.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesCVE-2006-5051, DSA-1638-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssh (PTS)jessie1:6.7p1-5+deb8u4fixed
jessie (security)1:6.7p1-5+deb8u8fixed
stretch1:7.4p1-10+deb9u7fixed
stretch (security)1:7.4p1-10+deb9u6fixed
buster, buster (security)1:7.9p1-10+deb10u1fixed
bullseye1:8.1p1-1fixed
sid1:8.1p1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensshsource(unstable)1:4.6p1-1low
opensshsourceetch1:4.3p2-9etch3DSA-1638-1

Notes

The patch backported for CVE-2006-5051 was incorrect and did not
fully address the issue. The upstream fix in 4.4p1 was
right, and it the next unstable upload after that was 4.6p1.

Search for package or bug name: Reporting problems