Rapid7 Vulnerability & Exploit Database

RHSA-2009:1470: openssh security update

Back to Search

RHSA-2009:1470: openssh security update

Severity
7
CVSS
(AV:L/AC:M/Au:N/C:C/I:C/A:C)
Published
10/01/2009
Created
07/25/2018
Added
10/14/2009
Modified
07/04/2017

Description

OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. Thesepackages include the core files necessary for both the OpenSSH client andserver.A Red Hat specific patch used in the openssh packages as shipped in RedHat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain ownershiprequirements for directories used as arguments for the ChrootDirectoryconfiguration options. A malicious user that also has or previously hadnon-chroot shell access to a system could possibly use this flaw toescalate their privileges and run commands as any system user.(CVE-2009-2904)All OpenSSH users are advised to upgrade to these updated packages, whichcontain a backported patch to resolve this issue. After installing thisupdate, the OpenSSH server daemon (sshd) will be restarted automatically.

Solution(s)

  • redhat-upgrade-openssh
  • redhat-upgrade-openssh-askpass
  • redhat-upgrade-openssh-clients
  • redhat-upgrade-openssh-server

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;