Bugtraq mailing list archives
CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENSSH
From: andreas () CONECTIVA COM BR (Andreas Hasenack)
Date: Sat, 10 Jun 2000 14:11:56 -0300
---------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT ---------------------------------------------------------------------- PACKAGE: openssh SUMMARY: "UseLogin" option allows remote execution of commands as root DATE: 2000-06-10 AFFECTED CONECTIVA VERSIONS : 5.0 ---------------------------------------------------------------------- DESCRIPTION Openssh's default installation doesn't have this problem. If the "UseLogin" option is used, then the ssh server won't drop its root privileges, instead relying on the login program to do so. But if the user specifies a command to be executed during the ssh session, the login program won't be used and the program will be run with full root privileges. SOLUTION Users with the "UseLogin" option set to "no" in /etc/ssh/sshd_config are not vulnerable. If, however, this option is needed, then openssh MUST be upgraded IMMEDIATELY. Updated packages for openssl are also provided to satisfy openssh's dependencies. DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-2.1.1p1-1cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-askpass-2.1.1p1-1cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-askpass-gnome-2.1.1p1-1cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-clients-2.1.1p1-1cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-server-2.1.1p1-1cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssl-0.9.5a-1cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssl-devel-0.9.5a-1cl.i386.rpm DIRECT LINK TO THE SOURCE PACKAGE ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/openssh-2.1.1p1-1cl.src.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/openssl-0.9.5a-1cl.src.rpm ---------------------------------------------------------------------- All packages are signed with Conectiva's PGP key. The key can be obtained at http://www.conectiva.com.br/conectiva/contato.html ---------------------------------------------------------------------- subscribe: atualizacoes-anuncio-subscribe () bazar conectiva com br unsubscribe: atualizacoes-anuncio-unsubscribe () bazar conectiva com br
Current thread:
- Re: OpenSSH's UseLogin option allows remote access with root privilege., (continued)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Phil Stracchino (Jun 10)
- IBM WebSphere JSP showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 11)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 12)
- Using IP Filter to protect FW-1 4.0 (fwd) Darren Reed (Jun 12)
- FreeBSD Security Advisory: FreeBSD-SA-00:25.alpha-dev-random FreeBSD Security Advisories (Jun 12)
- RFPolicy for vulnerability disclosure rain forest puppy (Jun 12)
- CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability Johannes Westerink (Jun 12)
- SmartFTP Daemon v0.2 Beta Build 9 - Remote Exploit Moritz Jodeit (Jun 13)
- Ethics ?? : Re: local root on linux 2.2.15 Gerrie (Jun 10)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENSSH Andreas Hasenack (Jun 10)
- Trustix Security Advisory Oystein Viggen (Jun 09)
- Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Tom Yu (Jun 09)
- Remote DOS in linux rpc.lockd mmurray () FSCINTERNET COM (Jun 08)
- Re: Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Mike Friedman (Jun 09)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Antonio Galea (Jun 15)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Lionel Cons (Jun 16)
- Call For Participation - Raid 2000 Herve Debar (Jun 16)
- Veritas Volume Manager 3.0.x hole Dixie Flatline (Jun 16)
- Re: Veritas Volume Manager 3.0.x hole Louis-Philippe Reid (Jun 16)
- Perl Crypt::CBC concern Darryl Miles (Jun 17)