CVE 2011-5000
'The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and earlier, when gssapi-with-mic authentication is enabled, allows remote authenticated users to cause a denial of service (memory consumption) via a large value in a certain length field. NOTE: there may be limited scenarios in which this issue is relevant.'
ClearCenter response
Short response
Low security risk. Fixed in backported patch (ClearOS 6.x)
Long response
This bug allows an authenticated SSH users to cause a denial of service condition when gssapi-with-mic authentication is enabled. Since ClearOS allows only root access by default, this condition is low risk where present. Only administrators should be allowed in via SSH (ClearOS 5.x). This issue is fixed in a backported patch (ClearOS 6.x).
Resolution
- ClearOS 5.x: Only allow trusted authentications via SSH.
- ClearOS 6.x: Ensure that you are up to date on patches
To validate that you are running openssh-5.3p1-81.el6 or later, run the following:
rpm -qi openssh
If you need to update, run the following:
yum update