Preview Tool

Cisco Bug: CSCte63324 - Mismatch with OpenSSH RPMs and Critical Vulnerability

Last Modified

Feb 02, 2017

Products (3)

  • Cisco Unified Communications Manager (CallManager)
  • Cisco Unity Connection Version 7.1
  • Cisco Unified Communications Manager Version 7.1

Known Affected Releases


Description (partial)

OpenSSH RPMs on 7.1.5 are mismatched and the older RPM contains a critical 
vulnerability.  The mismatch is as follows:


The RH vulnerability is as follows:

Last week Red Hat detected an intrusion on certain of its computer systems 
and took immediate action. While the investigation into the intrusion is on-
going, our initial focus was to review and test the distribution channel we use 
with our customers, Red Hat Network (RHN) and its associated 
security measures. Based on these efforts, we remain highly confident that our 
systems and processes prevented the intrusion from compromising RHN or the 
content distributed via RHN and accordingly believe that customers who keep 
their systems updated using Red Hat Network are not at risk. We are 
issuing this alert primarily for those who may obtain Red Hat binary packages 
via channels other than those of official Red Hat subscribers. 

In connection with the incident, the intruder was able to sign a small number 
of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and 
x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 
architecture only). As a precautionary measure, we are releasing an updated 
version of these packages, and have published a list of the tampered packages 
and how to detect them at

These packages also fix a low severity flaw in the way ssh handles X11 cookies 
when creating X11 forwarding connections. When ssh was unable to create 
untrusted cookie, ssh used a trusted cookie instead, possibly allowing the 
administrative user of a untrusted remote server, or untrusted 
application run on the remote server, to gain unintended access to a users local 
X server. (CVE-2007-4752)

Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.