-----  B a l a B i t   S e c u r i t y   A d v i s o r y   ( B B S A )  -----
PACKAGE             : openssh
AFFECTED VERSION    : <= 1:3.8.1p1-8.zorpos8, <= 1:4.2p1-7ubuntu3.2.zorpos33.1
FIXED               : 1:3.8.1p1-8.zorpos9, 1:4.2p1-7ubuntu3.2.zorpos33.2
SUMMARY             : Unsafe signal handler
TYPE                : remote
AFFECTED            : ZorpOS 3.1, ZorpOS 3.3
ZORP-OS SPECIFIC    : NO
BBSA-AUTHOR         : Tamás Pál <tamas.pal@balabit.hu>
BBSA-ID             : BBSA-2008-043
BBSA-ADDRESS        : advisory@balabit.hu
GNUPG FINGERPRINT   : 933E 6763 D32D A01C 1A75  F228 9CB1 81C7 D91E 8915
CVE                 : CVE-2008-4109
DATE                : Sep 18, 2008
-----------------------------------------------------------------------------

BACKGROUND:

  Debian's backport of the OpenSSH team's fix the signal handler race condition
  (CVE-2006-5051) was incorrect. It has been discovered that the signal
  handler implementing the login timeout in the OpenSSH server uses non
  async-signal-safe logging functions, leading to a denial-of-service
  vulnerability.

  Systems affected by this issue suffer from lots of zombie sshd processes.
  Processes stuck with a "[net]" process title have also been observed. Over
  time, a sufficient number of processes may accumulate such that further
  login attempts are impossible. Presence of these processes does not indicate
  active exploitation of this vulnerability. It is possible to trigger this
  denial of service condition by accident.

SOLUTION:

  We recommend that you update the affected packages immediately.

  Upgrading using apt:
  ~~~~~~~~~~~~~~~~~~~~
  Add the following line to /etc/apt/sources.list (if it doesn't
  contain this line already)

  ZorpOS version 3.1:

    deb https://USERNAME:PASSWORD@apt.balabit.hu/zorp-os \
      zorp-os-3.1/3.1security zorp-os zorp-os-extra

  ZorpOS version 3.3:

    deb https://USERNAME:PASSWORD@apt.balabit.hu/zorp-os \
      zorp-os-3.3/3.3security zorp-os zorp-os-extra

  then issue the following commands as root:

  apt-get update

  apt-get -u upgrade

  The latest upgrades will be downloaded and installed.

REFERENCES:

  http://www.debian.org/security/2008/dsa-1638
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4109
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051