CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
61.1%
Matt Zimmerman discovered that entries in ~/.ssh/authorized_keys
with options (such as “no-port-forwarding” or forced commands) were
ignored by the new ssh-vulnkey tool introduced in OpenSSH (see
USN-612-2). This could cause some compromised keys not to be
listed in ssh-vulnkey’s output.
This update also adds more information to ssh-vulnkey’s manual page.
Original advisory details:
A weakness has been discovered in the random number generator used
by OpenSSL on Debian and Ubuntu systems. As a result of this
weakness, certain encryption keys are much more common than they
should be, such that an attacker could guess the key through a
brute-force attack given minimal knowledge of the system. This
particularly affects the use of encryption keys in OpenSSH, OpenVPN
and SSL certificates.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Ubuntu | 8.04 | noarch | openssh-client | < 1:4.7p1-8ubuntu1.2 | UNKNOWN |
Ubuntu | 8.04 | noarch | openssh-client-udeb | < 1:4.7p1-8ubuntu1.2 | UNKNOWN |
Ubuntu | 8.04 | noarch | openssh-server | < 1:4.7p1-8ubuntu1.2 | UNKNOWN |
Ubuntu | 8.04 | noarch | openssh-server-udeb | < 1:4.7p1-8ubuntu1.2 | UNKNOWN |
Ubuntu | 8.04 | noarch | ssh-askpass-gnome | < 1:4.7p1-8ubuntu1.2 | UNKNOWN |
Ubuntu | 7.10 | noarch | openssh-client | < 1:4.6p1-5ubuntu0.5 | UNKNOWN |
Ubuntu | 7.10 | noarch | openssh-client-udeb | < 1:4.6p1-5ubuntu0.5 | UNKNOWN |
Ubuntu | 7.10 | noarch | openssh-server | < 1:4.6p1-5ubuntu0.5 | UNKNOWN |
Ubuntu | 7.10 | noarch | openssh-server-udeb | < 1:4.6p1-5ubuntu0.5 | UNKNOWN |
Ubuntu | 7.10 | noarch | ssh-askpass-gnome | < 1:4.6p1-5ubuntu0.5 | UNKNOWN |