Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability

From: <kernelclue () hushmail com>
Date: Tue, 16 Sep 2003 14:08:48 -0700
OpenSSH runs on a number of platforms, Windows included.  To say this
reflects on GNU/Linux or any Linux distro is just nonsense.

On Tue, 16 Sep 2003 11:29:30 -0700 Dave Monk <dave () themaneater com> wrote:

Recent security advisories featuring the operating system known as
'GNU/Linux' (formerly minix) has had a negative effect on the
listserv.

The problem stems from the polymorphic, virus-like phenomenon also
known as the 'Linux distro', the Linux distro allows any single
permutation of a base Linux install (such as location of the mail
spool) to actually qualify and require an entire new operating
system distribution.  At this point in time there are over 50
distros out there.

The cascade failure effect is that the minute a hole or flaw in
a
base Linux subsystem such as the kernel or system tools immediately
causes a flood of 'vendor' emails sent to bugtraq describing each
way to disable/upgrade the broken feature on their OS.

The effect is that the 'signal to stupid-linux-bug ratio' on the
lists gets completely out of whack thereby diluting the utility
of the list.

Solutions:

 None. (how do you expect to stop a tidal wave of suicidal VC money?)

Workarounds:

1) All advisories should be filtered through RMS, which would achieve
  the desired effect of delaying their posting indefinitely.
2) All such advisories should be prefixed by '[YASLB]' in the subject
line
  (yet another stupid linux bug) so I can filter this stupid crap.

thanks,
everyone


bugzilla () redhat com (bugzilla () redhat com) wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------

---------

                   Red Hat Security Advisory

Synopsis:          Updated OpenSSH packages fix potential vulnerability
Advisory ID:       RHSA-2003:279-01
Issue date:        2003-09-16
Updated on:        2003-09-16
Product:           Red Hat Linux
Keywords:          
Cross references:  
Obsoletes:         RHSA-2003:222
CVE Names:         CAN-2003-0693
- ------------------------------------------------------------

---------


1. Topic:

Updated OpenSSH packages are now available that fix a bug that

may be

remotely exploitable.

2. Relevant releases/architectures:

Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386
Red Hat Linux 9 - i386

3. Problem description:

OpenSSH is a suite of network connectivity tools that can be used

to

establish encrypted connections between systems on a network and

can

provide interactive login sessions and port forwarding, among

other functions.


The OpenSSH team has announced a bug which affects the OpenSSH

buffer

handling code.  This bug has the potential of being remotely exploitable.

All users of OpenSSH should immediately apply this update which

contains a

backported fix for this issue.

4. Solution:

Before applying this update, make sure all previously released

errata

relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. 

Only those

RPMs which are currently installed will be updated.  Those RPMs

which are

not installed but included in the list will not be updated.  Note

that you

can also use wildcards (*.rpm) if your current directory *only*

contains the

desired RPMs.

Please note that this update is also available via Red Hat Network.

Many

people find this an easier way to apply updates.  To use Red Hat

Network,

launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the

appropriate

RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL Certificate

Errors, you need to install a version of the up2date client with

an updated 

certificate.  The latest version of up2date is available from

the Red Hat 

FTP site and may also be downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

5. RPMs required:

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/openssh-3.1p1-9.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/openssh-3.1p1-9.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssh-clients-3.1p1-

9.i386.rpm

ftp://updates.redhat.com/7.1/en/os/i386/openssh-server-3.1p1-9.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssh-askpass-3.1p1-

9.i386.rpm

ftp://updates.redhat.com/7.1/en/os/i386/openssh-askpass-gnome-

3.1p1-9.i386.rpm


Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/openssh-3.1p1-10.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/openssh-3.1p1-10.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssh-clients-3.1p1-

10.i386.rpm

ftp://updates.redhat.com/7.2/en/os/i386/openssh-server-3.1p1-10.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssh-askpass-3.1p1-

10.i386.rpm

ftp://updates.redhat.com/7.2/en/os/i386/openssh-askpass-gnome-

3.1p1-10.i386.rpm


ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/openssh-3.1p1-10.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssh-clients-3.1p1-

10.ia64.rpm

ftp://updates.redhat.com/7.2/en/os/ia64/openssh-server-3.1p1-10.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssh-askpass-3.1p1-

10.ia64.rpm

ftp://updates.redhat.com/7.2/en/os/ia64/openssh-askpass-gnome-

3.1p1-10.ia64.rpm


Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/openssh-3.1p1-10.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/openssh-3.1p1-10.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssh-clients-3.1p1-

10.i386.rpm

ftp://updates.redhat.com/7.3/en/os/i386/openssh-server-3.1p1-10.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssh-askpass-3.1p1-

10.i386.rpm

ftp://updates.redhat.com/7.3/en/os/i386/openssh-askpass-gnome-

3.1p1-10.i386.rpm


Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/openssh-3.4p1-5.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/openssh-3.4p1-5.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/openssh-clients-3.4p1-

5.i386.rpm

ftp://updates.redhat.com/8.0/en/os/i386/openssh-server-3.4p1-5.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/openssh-askpass-3.4p1-

5.i386.rpm

ftp://updates.redhat.com/8.0/en/os/i386/openssh-askpass-gnome-

3.4p1-5.i386.rpm


Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/openssh-3.5p1-9.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/openssh-3.5p1-9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/openssh-clients-3.5p1-9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/openssh-server-3.5p1-9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/openssh-askpass-3.5p1-9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/openssh-askpass-gnome-3.5p1-



9.i386.rpm




6. Verification:

MD5 sum                          Package Name
- ------------------------------------------------------------

--------------

68c4a788b259ac5d80696344a1635238 7.1/en/os/SRPMS/openssh-3.1p1-

9.src.rpm

2cb116a25b5d3f2ae0290c2b02eb822a 7.1/en/os/i386/openssh-3.1p1-

9.i386.rpm

8871705678463c84f5bac0d7e314c51d 7.1/en/os/i386/openssh-askpass-

3.1p1-9.i386.rpm

d40669604c1003d5fa56a0fe8f5f259f 7.1/en/os/i386/openssh-askpass-

gnome-3.1p1-9.i386.rpm

ad58192a0988ae2ba28303892344dc15 7.1/en/os/i386/openssh-clients-

3.1p1-9.i386.rpm

275ab4661dfef3d2331a044723728ba8 7.1/en/os/i386/openssh-server-

3.1p1-9.i386.rpm

8a643b9a1c2081510494bcfe81d704da 7.2/en/os/SRPMS/openssh-3.1p1-

10.src.rpm

41d575bf0e8740dea7be6f228cd49a06 7.2/en/os/i386/openssh-3.1p1-

10.i386.rpm

4b768a29889a977e780f40829767f139 7.2/en/os/i386/openssh-askpass-

3.1p1-10.i386.rpm

c6ade41287005e1bc3e773d489571b2f 7.2/en/os/i386/openssh-askpass-

gnome-3.1p1-10.i386.rpm

ac2a157d5527b94629b393709dafee88 7.2/en/os/i386/openssh-clients-

3.1p1-10.i386.rpm

dfd86218d209c998c1f5877470e08ee3 7.2/en/os/i386/openssh-server-

3.1p1-10.i386.rpm

35ed02df36d62ae2ae388bdb1a2fde8b 7.2/en/os/ia64/openssh-3.1p1-

10.ia64.rpm

00efc09f44de8e8757ed002b1c8f33d1 7.2/en/os/ia64/openssh-askpass-

3.1p1-10.ia64.rpm

0a08a3bf5bdd95fb718c9f588aeb19a5 7.2/en/os/ia64/openssh-askpass-

gnome-3.1p1-10.ia64.rpm

ad1d2c29d579622abeb9aaddc3ba2205 7.2/en/os/ia64/openssh-clients-

3.1p1-10.ia64.rpm

baa9c271eea7d6d3d49fc14d4cc6cd20 7.2/en/os/ia64/openssh-server-

3.1p1-10.ia64.rpm

8a643b9a1c2081510494bcfe81d704da 7.3/en/os/SRPMS/openssh-3.1p1-

10.src.rpm

41d575bf0e8740dea7be6f228cd49a06 7.3/en/os/i386/openssh-3.1p1-

10.i386.rpm

4b768a29889a977e780f40829767f139 7.3/en/os/i386/openssh-askpass-

3.1p1-10.i386.rpm

c6ade41287005e1bc3e773d489571b2f 7.3/en/os/i386/openssh-askpass-

gnome-3.1p1-10.i386.rpm

ac2a157d5527b94629b393709dafee88 7.3/en/os/i386/openssh-clients-

3.1p1-10.i386.rpm

dfd86218d209c998c1f5877470e08ee3 7.3/en/os/i386/openssh-server-

3.1p1-10.i386.rpm

9b0e321ba85cb0d0d92aa8d2215b660b 8.0/en/os/SRPMS/openssh-3.4p1-

5.src.rpm

98eec1cabf75d33b4dab5cbcc1fa3916 8.0/en/os/i386/openssh-3.4p1-

5.i386.rpm

40a5f106abe732b2de667d8eea533bfb 8.0/en/os/i386/openssh-askpass-

3.4p1-5.i386.rpm

2d7066401fdffdc33d8432c5a6e15bf2 8.0/en/os/i386/openssh-askpass-

gnome-3.4p1-5.i386.rpm

437bf2bd207673ce3ab9632e6c862972 8.0/en/os/i386/openssh-clients-

3.4p1-5.i386.rpm

b1d6e055c373770fac486b1c32b1110b 8.0/en/os/i386/openssh-server-

3.4p1-5.i386.rpm

7b1cf7bfc16af8675fef75f1c82825ca 9/en/os/SRPMS/openssh-3.5p1-9.src.rpm
42127cbc814679cefd1db11265eb2ded 9/en/os/i386/openssh-3.5p1-9.i386.rpm
301a68bc432e7ac55f847edbb30b4741 9/en/os/i386/openssh-askpass-

3.5p1-9.i386.rpm

baeb84c227233c05d5b6e9e3bc1bdd3d 9/en/os/i386/openssh-askpass-

gnome-3.5p1-9.i386.rpm

78188bca46a3ccbba67d1040f42e3c07 9/en/os/i386/openssh-clients-

3.5p1-9.i386.rpm

2233bfd17074fd127dac4f47b57e905c 9/en/os/i386/openssh-server-3.5p1-



9.i386.rpm



These packages are GPG signed by Red Hat for security.  Our key

is

available from https://www.redhat.com/security/keys.html

You can verify each package with the following command:
    
    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted

or

tampered with, examine only the md5sum with the following command:
    
    md5sum <filename>


7. References:

http://marc.theaimsgroup.com/?l=openbsd-misc&m=106371592604940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693

8. Contact:

The Red Hat security contact is <secalert () redhat com>.  More contact
details at https://www.redhat.com/solutions/security/news/contact.html

Copyright 2003 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/Z06fXlSAg2UNWIIRAjxnAJ9aO/FjfvTrpAJSHTT3XDTvZj3/zwCgkKLt
kgDsuTIKPlAf1EIS42Rg4Bo=
=NzeI
-----END PGP SIGNATURE-----


-- 
Dave McKay
dave () mu org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: