Re: MDKSA-2000:057 - openssh update

[Markus Friedl <markus.friedl () INFORMATIK UNI-ERLANGEN DE>]

hello,

this makes no sense at all. the problem is about 'defects' in scp/rcp,
and has nothing to do with /usr/bin/ssh having sbits turned off or not.

this advisory is wrong, and missleading at its best.

-markus (@openssh.com)

On Tue, Oct 10, 2000 at 11:51:16AM -0600, Linux Mandrake Security Team wrote:
> ________________________________________________________________________
>
> Package name:         openssh
> Date:                 October 10th, 2000
> Advisory ID:          MDKSA-2000:057
>
> Affected versions:    7.0, 7.1
> ________________________________________________________________________
>
> Problem Description:
>
>  A problem exists with openssh's scp program.  If a user uses scp to
>  move files from a server that has been compromised, the operation can
>  be used to replace arbitrary files on the user's system.  The problem
>  is made more serious by setuid versions of ssh which allow overwriting
>  any file on the local user's system.  If the ssh program is not setuid
>  or is setuid to someone other than root, the intrustion is limited to
>  files with write access granted to the owner of the ssh program.  In
>  either case, files can be overwritten with code allowing others access
>  to the system unexpectedly.  While no fix has been provided for openssh
>  as of yet, the versions of openssh available for Linux-Mandrake 7.0 and
>  7.1 were setuid root.  This update removes the setuid bit from the ssh
>  program and limits the exploitability of scp somewhat.  All users of
>  Linux-Mandrake are encouraged to upgrade to these latest openssh
>  builds.  Linux-Mandrake 7.0 users will also need to upgrade openssl in
>  order to use the 7.0 update of openssh.
> ________________________________________________________________________