From security@linux-mandrake.com Wed Jun 26 15:38:32 2002 From: Mandrake Linux Security Team To: bugtraq@securityfocus.com Date: 25 Jun 2002 02:41:17 -0000 Subject: MDKSA-2002:040 - openssh update -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ Mandrake Linux Security Update Advisory ________________________________________________________________________ Package name: openssh Advisory ID: MDKSA-2002:040 Date: June 24th, 2002 Affected versions: 7.1, 7.2, 8.0, 8.1, 8.2, Corporate Server 1.0.1, Single Network Firewall 7.2 ________________________________________________________________________ Problem Description: Details of an upcoming OpenSSH vulnerability will be published early next week. According to the OpenSSH team, this remote vulnerability cannot be exploited when sshd is running with privilege separation. The priv separation code is significantly improved in version 3.3 of OpenSSH which was released on June 21st. Unfortunately, there are some known problems with this release; compression does not work on all operating systems and the PAM support has not been completed. The OpenSSH team encourages everyone to upgrade to version 3.3 immediately and enable privilege separation. This can be enabled by placing in your /etc/ssh/sshd_config file the following: UsePrivilegeSeparation yes The vulnerability that will be disclosed next week is not fixed in version 3.3 of OpenSSH, however with priv separation enabled, you will not be vulnerable to it. This is because privilege separation uses a seperate non-privileged process to handle most of the work, meaning that any vulnerability in this part of OpenSSH will never lead to a root compromise. Only access as the non-privileged user restricted in chroot would be available. MandrakeSoft encourages all of our users to upgrade to the updated packages immediately. This update creates a new user and group on the system named sshd that is used to run the non-privileged processes. ________________________________________________________________________ References: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102495293705094&w=2 ________________________________________________________________________ Updated Packages: Linux-Mandrake 7.1: ac86db7914ba6fc85b17fc99d06a937c 7.1/RPMS/openssh-3.3p1-3.1mdk.i586.rpm f718cb570e2ee62fc32e053813d3cfbf 7.1/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm 6f3c54d22d992032e306ae5070158a71 7.1/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm 94257fd0269dad04bd5440b7ee5cf053 7.1/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm 31ce777e172418ed9315b7222f19996d 7.1/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm 376a6784a1064bed84108910a228d05e 7.1/SRPMS/openssh-3.3p1-3.1mdk.src.rpm Linux-Mandrake 7.2: 11305bdbdae69178c4519a64cc4d268c 7.2/RPMS/openssh-3.3p1-3.1mdk.i586.rpm 06076635d4bf67129e1fabc287e44a1d 7.2/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm 7d8e1ab186f9ec314d44188c8fb9129e 7.2/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm eecab04b4bc352d2f24a6b9d28275f38 7.2/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm 3cb9787448432db4973af1a50cd259a7 7.2/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm 376a6784a1064bed84108910a228d05e 7.2/SRPMS/openssh-3.3p1-3.1mdk.src.rpm Mandrake Linux 8.0: d6a327709059db4cc61733b957a4da46 8.0/RPMS/openssh-3.3p1-3.1mdk.i586.rpm ef833e955ce5df3f9ae8bce029f957fc 8.0/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm 1e2aef9c7c61cb5dc2fa3b2bc4bde1b4 8.0/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm 23e8d7aed35558ed75b34d8a32619cff 8.0/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm 27a934155f200b02eb273fc2fe80d407 8.0/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm 376a6784a1064bed84108910a228d05e 8.0/SRPMS/openssh-3.3p1-3.1mdk.src.rpm Mandrake Linux 8.0/ppc: c515524fc8fa30bb41a8048ad7967edb ppc/8.0/RPMS/openssh-3.3p1-3.1mdk.ppc.rpm 0180f3991cad706505e6e5faee741909 ppc/8.0/RPMS/openssh-askpass-3.3p1-3.1mdk.ppc.rpm de64dc6cf71f67d92b0fa2985a05ae6b ppc/8.0/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.ppc.rpm 43a101ff00c00730604089679afe6187 ppc/8.0/RPMS/openssh-clients-3.3p1-3.1mdk.ppc.rpm f7c90aab96ccf90c85dc3869ad38c439 ppc/8.0/RPMS/openssh-server-3.3p1-3.1mdk.ppc.rpm 376a6784a1064bed84108910a228d05e ppc/8.0/SRPMS/openssh-3.3p1-3.1mdk.src.rpm Mandrake Linux 8.1: 821432034c563d9e0ad215f2540e9ae2 8.1/RPMS/openssh-3.3p1-3.1mdk.i586.rpm b52f10205b2fc3e7d64f66f54612e8c7 8.1/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm a175f6d5e2e6bb2cfb4bf542445bc19c 8.1/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm 7aa5e6f0ef8393e4df6083a00dd21245 8.1/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm b6d4277248a0347d26bc63ac91e08d20 8.1/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm 376a6784a1064bed84108910a228d05e 8.1/SRPMS/openssh-3.3p1-3.1mdk.src.rpm Mandrake Linux 8.1/ia64: 28338c62e4f6f5c8110613eee798694a ia64/8.1/RPMS/openssh-3.3p1-3.1mdk.ia64.rpm b867581545043e5002daa968dbe76e07 ia64/8.1/RPMS/openssh-askpass-3.3p1-3.1mdk.ia64.rpm 38b9e8618b83a5ca2a61e11827c9c39d ia64/8.1/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.ia64.rpm 835cbc47dd019786b1bcf18e52c4decc ia64/8.1/RPMS/openssh-clients-3.3p1-3.1mdk.ia64.rpm 3ed27b5847492ac88ed80a57a3d0ea4b ia64/8.1/RPMS/openssh-server-3.3p1-3.1mdk.ia64.rpm 376a6784a1064bed84108910a228d05e ia64/8.1/SRPMS/openssh-3.3p1-3.1mdk.src.rpm Mandrake Linux 8.2: cc9ac93261db3dbd80e5c8be6ce2da6d 8.2/RPMS/openssh-3.3p1-3.1mdk.i586.rpm 79b317116fda4968073a47ceaea8c0f1 8.2/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm 50158609a46ef79d10cb429cac398e82 8.2/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm 298cae54073f902410aa1f6be7748755 8.2/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm a32f267bf83538d326febc86932bab52 8.2/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm 376a6784a1064bed84108910a228d05e 8.2/SRPMS/openssh-3.3p1-3.1mdk.src.rpm Mandrake Linux 8.2/ppc: e45cd22f78eb187a73863add09aa4711 ppc/8.2/RPMS/openssh-3.3p1-3.1mdk.ppc.rpm 47e8e010395171214d419697e28bbd06 ppc/8.2/RPMS/openssh-askpass-3.3p1-3.1mdk.ppc.rpm 8ee31d4f9e9b21fd3c1ffb00c5a0c516 ppc/8.2/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.ppc.rpm 8eea104fafa986376beb0e9e364cbd65 ppc/8.2/RPMS/openssh-clients-3.3p1-3.1mdk.ppc.rpm c07e10e2fc0703c77ca25d4d3aaa2723 ppc/8.2/RPMS/openssh-server-3.3p1-3.1mdk.ppc.rpm 376a6784a1064bed84108910a228d05e ppc/8.2/SRPMS/openssh-3.3p1-3.1mdk.src.rpm Corporate Server 1.0.1: ac86db7914ba6fc85b17fc99d06a937c 1.0.1/RPMS/openssh-3.3p1-3.1mdk.i586.rpm f718cb570e2ee62fc32e053813d3cfbf 1.0.1/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm 6f3c54d22d992032e306ae5070158a71 1.0.1/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm 94257fd0269dad04bd5440b7ee5cf053 1.0.1/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm 31ce777e172418ed9315b7222f19996d 1.0.1/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm 376a6784a1064bed84108910a228d05e 1.0.1/SRPMS/openssh-3.3p1-3.1mdk.src.rpm Single Network Firewall 7.2: 11305bdbdae69178c4519a64cc4d268c snf7.2/RPMS/openssh-3.3p1-3.1mdk.i586.rpm 06076635d4bf67129e1fabc287e44a1d snf7.2/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm 7d8e1ab186f9ec314d44188c8fb9129e snf7.2/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm eecab04b4bc352d2f24a6b9d28275f38 snf7.2/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm 3cb9787448432db4973af1a50cd259a7 snf7.2/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm 376a6784a1064bed84108910a228d05e snf7.2/SRPMS/openssh-3.3p1-3.1mdk.src.rpm ________________________________________________________________________ Bug IDs fixed (see https://qa.mandrakesoft.com for more information): ________________________________________________________________________ To upgrade automatically, use MandrakeUpdate. The verification of md5 checksums and GPG signatures is performed automatically for you. If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team from: https://www.mandrakesecure.net/RPM-GPG-KEYS Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrake Linux at: http://www.mandrakesecure.net/en/advisories/ MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security@linux-mandrake.com ________________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.7 (GNU/Linux) mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7 WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg 2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy /NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPaIRgQQEQIA BgUCPI+UAwAKCRDniYrgcHcf8xK5AKCm/Mq8qP8GE0o1hEX22QsJMZwH5gCfZ72H 8TacOb3oAmBdprf+K6gkdOiIRgQQEQIABgUCOtOieAAKCRCv2bZyU0yB80MeAJ9K +jXt0cKuaUonRU+CRGetk6t9dgCfTRRL6/puOKdD6md70+K5EBBSvsG0OE1hbmRy YWtlIExpbnV4IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QG1hbmRyYWtlc29mdC5j b20+iFcEExECABcFAjyPnuUFCwcKAwQDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmFi+ OWnn7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ 9F779FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzR xBXVJb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z 269s+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN 6SCXVl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZ jTcl3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo 0NAiRYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJ EJGXlA== =yGlX - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9F9hNmqjQ0CJFipgRAk43AKCE9M7/dDC4sqLSr8yFQmSdLG2iyACeJvfI xP1P7ydRQgPfjc80p7V8/Ss= =oVuw -----END PGP SIGNATURE-----