Your message dated Fri, 28 May 2004 17:32:10 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#248125: fixed in openssh 1:3.8.1p1-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 9 May 2004 13:40:39 +0000
>From [EMAIL PROTECTED] Sun May 09 06:40:39 2004
Return-path: <[EMAIL PROTECTED]>
Received: from piggy.rz.tu-ilmenau.de [141.24.4.8]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BMoXn-0007FO-00; Sun, 09 May 2004 06:40:39 -0700
Received: from gate.22.kls.lan (vpn2.rz.tu-ilmenau.de [141.24.172.2])
by piggy.rz.tu-ilmenau.de (8.12.10/8.12.10) with ESMTP id i49DePBv024569
for finalrecipients; Sun, 9 May 2004 15:40:35 +0200 (MET DST)
Received: from darkside.22.kls.lan ([EMAIL PROTECTED] [192.168.22.1])
by gate.22.kls.lan (8.12.11/8.12.11) with ESMTP id i49DeMYv001131
for <[EMAIL PROTECTED]>; Sun, 9 May 2004 15:40:22 +0200
Received: from darkside.22.kls.lan ([EMAIL PROTECTED] [127.0.0.1])
by darkside.22.kls.lan (8.12.11/8.12.11) with ESMTP id i49DeMu9028747
for <[EMAIL PROTECTED]>; Sun, 9 May 2004 15:40:22 +0200
Received: (from [EMAIL PROTECTED])
by darkside.22.kls.lan (8.12.11/8.12.11) id i49DeLQX028744
for [EMAIL PROTECTED]; Sun, 9 May 2004 15:40:21 +0200
Date: Sun, 9 May 2004 15:40:21 +0200
From: "Mario 'BitKoenig' Holbe" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: sshd: processes keep alive after connection break
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.6i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=HAS_PACKAGE autolearn=no
version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
X-CrossAssassin-Score: 1
Package: ssh
Version: 1:3.8p1-3
Severity: critical
Hello,
sshd leaves processes alive, if a connection breaks while
authentication phase:
Initial state is:
| [EMAIL PROTECTED]:~# ps -ef | grep ssh
| root 27981 1 0 15:29 ? 00:00:00 /usr/sbin/sshd
| [EMAIL PROTECTED]:~#
Now I do:
| [EMAIL PROTECTED]:/home/holbe% ssh [EMAIL PROTECTED]
| Password:
Which results in:
| [EMAIL PROTECTED]:~# ps -ef | grep ssh
| root 27981 1 0 15:28 ? 00:00:00 /usr/sbin/sshd
| holbe 28162 1398 0 15:31 tty5 00:00:00 ssh [EMAIL PROTECTED]
| root 28163 27981 0 15:31 ? 00:00:00 sshd: holbe [priv]
| sshd 28165 28163 0 15:31 ? 00:00:00 sshd: holbe [net]
| root 28166 28163 0 15:31 ? 00:00:00 sshd: holbe [pam]
| [EMAIL PROTECTED]:~#
Now I break the client with Ctrl-C:
| [EMAIL PROTECTED]:/home/holbe% ssh [EMAIL PROTECTED]
| Password:
|
| [EMAIL PROTECTED]:/home/holbe%
And the result is:
| [EMAIL PROTECTED]:~# ps -ef | grep ssh
| root 27981 1 0 15:28 ? 00:00:00 /usr/sbin/sshd
| root 28163 27981 0 15:31 ? 00:00:00 sshd: holbe [priv]
| sshd 28165 28163 0 15:31 ? 00:00:00 [sshd] <defunct>
| root 28166 28163 0 15:31 ? 00:00:00 sshd: holbe [pam]
| [EMAIL PROTECTED]:~#
Those processes remain running until I manually kill them.
This could very easily be exploited to a Denial-of-Service
attack against system ressources (processes). There is no
special knowledge needed about the victim system, this works
also with uids that don't exist.
That's why I set the severity to critical.
regards,
Mario
--
<jv> Oh well, config
<jv> one actually wonders what force in the universe is holding it
<jv> and makes it working
<Beeth> chances and accidents :)
---------------------------------------
Received: (at 248125-close) by bugs.debian.org; 28 May 2004 21:38:20 +0000
>From [EMAIL PROTECTED] Fri May 28 14:38:20 2004
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BTp3U-0005rq-00; Fri, 28 May 2004 14:38:20 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1BToxW-00005k-00; Fri, 28 May 2004 17:32:10 -0400
From: Colin Watson <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.49 $
Subject: Bug#248125: fixed in openssh 1:3.8.1p1-4
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Fri, 28 May 2004 17:32:10 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Source: openssh
Source-Version: 1:3.8.1p1-4
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-client-udeb_3.8.1p1-4_powerpc.udeb
to pool/main/o/openssh/openssh-client-udeb_3.8.1p1-4_powerpc.udeb
openssh-server-udeb_3.8.1p1-4_powerpc.udeb
to pool/main/o/openssh/openssh-server-udeb_3.8.1p1-4_powerpc.udeb
openssh_3.8.1p1-4.diff.gz
to pool/main/o/openssh/openssh_3.8.1p1-4.diff.gz
openssh_3.8.1p1-4.dsc
to pool/main/o/openssh/openssh_3.8.1p1-4.dsc
ssh-askpass-gnome_3.8.1p1-4_powerpc.deb
to pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-4_powerpc.deb
ssh_3.8.1p1-4_powerpc.deb
to pool/main/o/openssh/ssh_3.8.1p1-4_powerpc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[EMAIL PROTECTED]> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 28 May 2004 17:58:45 -0300
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server-udeb
Architecture: source powerpc
Version: 1:3.8.1p1-4
Distribution: unstable
Urgency: medium
Maintainer: Matthew Vernon <[EMAIL PROTECTED]>
Changed-By: Colin Watson <[EMAIL PROTECTED]>
Description:
openssh-client-udeb - Secure shell client for the Debian installer (udeb)
openssh-server-udeb - Secure shell server for the Debian installer (udeb)
ssh - Secure rlogin/rsh/rcp replacement (OpenSSH)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 248125
Changes:
openssh (1:3.8.1p1-4) unstable; urgency=medium
.
* Kill off PAM thread if privsep slave dies (closes: #248125).
Files:
8dce3b0bc4cdc70093d8dbdc473e9bd8 890 net standard openssh_3.8.1p1-4.dsc
313bb10cb79d9677e887935de39c7178 145574 net standard openssh_3.8.1p1-4.diff.gz
d56bb8a20deefd960104e0a11d6bd23e 730442 net standard ssh_3.8.1p1-4_powerpc.deb
08f2e260a229e3886bb06ff3dec6a553 51610 gnome optional
ssh-askpass-gnome_3.8.1p1-4_powerpc.deb
0c181ed3e4c6496eb3bf725543cafae2 100746 debian-installer optional
openssh-client-udeb_3.8.1p1-4_powerpc.udeb
f2dd9a38bcd13f6beab183583db5a1b2 160116 debian-installer optional
openssh-server-udeb_3.8.1p1-4_powerpc.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Colin Watson <[EMAIL PROTECTED]> -- Debian developer
iD8DBQFAt6s39t0zAhD6TNERAh32AJ4+34IeBeOc/4toCW8c478PQr5b9ACfSMQD
l/NRDsnwai0LTXXpA0RhWaU=
=JvF4
-----END PGP SIGNATURE-----
