Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


Mandrake Linux Advisory: OpenSSH

Jun 25, 2002, 04:16 (1 Talkback[s])

______________________________________________________________________

                Mandrake Linux Security Update Advisory
______________________________________________________________________

Package name:           openssh
Advisory ID:            MDKSA-2002:040
Date:                   June 24th, 2002
Affected versions:      7.1, 7.2, 8.0, 8.1, 8.2, Corporate Server 1.0.1,
                        Single Network Firewall 7.2
______________________________________________________________________

Problem Description:

 Details of an upcoming OpenSSH vulnerability will be published early
 next week.  According to the OpenSSH team, this remote vulnerability
 cannot be exploited when sshd is running with privilege separation.
 The priv separation code is significantly improved in version 3.3 of 
 OpenSSH which was released on June 21st.  Unfortunately, there are some
 known problems with this release; compression does not work on all
 operating systems and the PAM support has not been completed.

 The OpenSSH team encourages everyone to upgrade to version 3.3
 immediately and enable privilege separation.  This can be enabled by
 placing in your /etc/ssh/sshd_config file the following:

   UsePrivilegeSeparation yes

 The vulnerability that will be disclosed next week is not fixed in
 version 3.3 of OpenSSH, however with priv separation enabled, you will
 not be vulnerable to it.  This is because privilege separation uses a
 seperate non-privileged process to handle most of the work, meaning
 that any vulnerability in this part of OpenSSH will never lead to a
 root compromise.  Only access as the non-privileged user restricted in
 chroot would be available.

 MandrakeSoft encourages all of our users to upgrade to the updated
 packages immediately.  This update creates a new user and group on the
 system named sshd that is used to run the non-privileged processes.
______________________________________________________________________

References:

 http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102495293705094&w=2
______________________________________________________________________

Updated Packages:

 Linux-Mandrake 7.1:
 ac86db7914ba6fc85b17fc99d06a937c  7.1/RPMS/openssh-3.3p1-3.1mdk.i586.rpm
 f718cb570e2ee62fc32e053813d3cfbf  7.1/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm
 6f3c54d22d992032e306ae5070158a71  7.1/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm
 94257fd0269dad04bd5440b7ee5cf053  7.1/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm
 31ce777e172418ed9315b7222f19996d  7.1/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm
 376a6784a1064bed84108910a228d05e  7.1/SRPMS/openssh-3.3p1-3.1mdk.src.rpm

 Linux-Mandrake 7.2:
 11305bdbdae69178c4519a64cc4d268c  7.2/RPMS/openssh-3.3p1-3.1mdk.i586.rpm
 06076635d4bf67129e1fabc287e44a1d  7.2/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm
 7d8e1ab186f9ec314d44188c8fb9129e  7.2/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm
 eecab04b4bc352d2f24a6b9d28275f38  7.2/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm
 3cb9787448432db4973af1a50cd259a7  7.2/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm
 376a6784a1064bed84108910a228d05e  7.2/SRPMS/openssh-3.3p1-3.1mdk.src.rpm

 Mandrake Linux 8.0:
 d6a327709059db4cc61733b957a4da46  8.0/RPMS/openssh-3.3p1-3.1mdk.i586.rpm
 ef833e955ce5df3f9ae8bce029f957fc  8.0/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm
 1e2aef9c7c61cb5dc2fa3b2bc4bde1b4  8.0/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm
 23e8d7aed35558ed75b34d8a32619cff  8.0/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm
 27a934155f200b02eb273fc2fe80d407  8.0/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm
 376a6784a1064bed84108910a228d05e  8.0/SRPMS/openssh-3.3p1-3.1mdk.src.rpm

 Mandrake Linux 8.0/ppc:
 c515524fc8fa30bb41a8048ad7967edb  ppc/8.0/RPMS/openssh-3.3p1-3.1mdk.ppc.rpm
 0180f3991cad706505e6e5faee741909  ppc/8.0/RPMS/openssh-askpass-3.3p1-3.1mdk.ppc.rpm
 de64dc6cf71f67d92b0fa2985a05ae6b  ppc/8.0/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.ppc.rpm
 43a101ff00c00730604089679afe6187  ppc/8.0/RPMS/openssh-clients-3.3p1-3.1mdk.ppc.rpm
 f7c90aab96ccf90c85dc3869ad38c439  ppc/8.0/RPMS/openssh-server-3.3p1-3.1mdk.ppc.rpm
 376a6784a1064bed84108910a228d05e  ppc/8.0/SRPMS/openssh-3.3p1-3.1mdk.src.rpm

 Mandrake Linux 8.1:
 821432034c563d9e0ad215f2540e9ae2  8.1/RPMS/openssh-3.3p1-3.1mdk.i586.rpm
 b52f10205b2fc3e7d64f66f54612e8c7  8.1/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm
 a175f6d5e2e6bb2cfb4bf542445bc19c  8.1/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm
 7aa5e6f0ef8393e4df6083a00dd21245  8.1/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm
 b6d4277248a0347d26bc63ac91e08d20  8.1/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm
 376a6784a1064bed84108910a228d05e  8.1/SRPMS/openssh-3.3p1-3.1mdk.src.rpm

 Mandrake Linux 8.1/ia64:
 28338c62e4f6f5c8110613eee798694a  ia64/8.1/RPMS/openssh-3.3p1-3.1mdk.ia64.rpm
 b867581545043e5002daa968dbe76e07  ia64/8.1/RPMS/openssh-askpass-3.3p1-3.1mdk.ia64.rpm
 38b9e8618b83a5ca2a61e11827c9c39d  ia64/8.1/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.ia64.rpm
 835cbc47dd019786b1bcf18e52c4decc  ia64/8.1/RPMS/openssh-clients-3.3p1-3.1mdk.ia64.rpm
 3ed27b5847492ac88ed80a57a3d0ea4b  ia64/8.1/RPMS/openssh-server-3.3p1-3.1mdk.ia64.rpm
 376a6784a1064bed84108910a228d05e  ia64/8.1/SRPMS/openssh-3.3p1-3.1mdk.src.rpm

 Mandrake Linux 8.2:
 cc9ac93261db3dbd80e5c8be6ce2da6d  8.2/RPMS/openssh-3.3p1-3.1mdk.i586.rpm
 79b317116fda4968073a47ceaea8c0f1  8.2/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm
 50158609a46ef79d10cb429cac398e82  8.2/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm
 298cae54073f902410aa1f6be7748755  8.2/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm
 a32f267bf83538d326febc86932bab52  8.2/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm
 376a6784a1064bed84108910a228d05e  8.2/SRPMS/openssh-3.3p1-3.1mdk.src.rpm

 Mandrake Linux 8.2/ppc:
 e45cd22f78eb187a73863add09aa4711  ppc/8.2/RPMS/openssh-3.3p1-3.1mdk.ppc.rpm
 47e8e010395171214d419697e28bbd06  ppc/8.2/RPMS/openssh-askpass-3.3p1-3.1mdk.ppc.rpm
 8ee31d4f9e9b21fd3c1ffb00c5a0c516  ppc/8.2/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.ppc.rpm
 8eea104fafa986376beb0e9e364cbd65  ppc/8.2/RPMS/openssh-clients-3.3p1-3.1mdk.ppc.rpm
 c07e10e2fc0703c77ca25d4d3aaa2723  ppc/8.2/RPMS/openssh-server-3.3p1-3.1mdk.ppc.rpm
 376a6784a1064bed84108910a228d05e  ppc/8.2/SRPMS/openssh-3.3p1-3.1mdk.src.rpm

 Corporate Server 1.0.1:
 ac86db7914ba6fc85b17fc99d06a937c  1.0.1/RPMS/openssh-3.3p1-3.1mdk.i586.rpm
 f718cb570e2ee62fc32e053813d3cfbf  1.0.1/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm
 6f3c54d22d992032e306ae5070158a71  1.0.1/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm
 94257fd0269dad04bd5440b7ee5cf053  1.0.1/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm
 31ce777e172418ed9315b7222f19996d  1.0.1/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm
 376a6784a1064bed84108910a228d05e  1.0.1/SRPMS/openssh-3.3p1-3.1mdk.src.rpm

 Single Network Firewall 7.2:
 11305bdbdae69178c4519a64cc4d268c  snf7.2/RPMS/openssh-3.3p1-3.1mdk.i586.rpm
 06076635d4bf67129e1fabc287e44a1d  snf7.2/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm
 7d8e1ab186f9ec314d44188c8fb9129e  snf7.2/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm
 eecab04b4bc352d2f24a6b9d28275f38  snf7.2/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm
 3cb9787448432db4973af1a50cd259a7  snf7.2/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm
 376a6784a1064bed84108910a228d05e  snf7.2/SRPMS/openssh-3.3p1-3.1mdk.src.rpm
______________________________________________________________________

Bug IDs fixed (see https://qa.mandrakesoft.com for more information):

______________________________________________________________________

To upgrade automatically, use MandrakeUpdate.  The verification of md5
checksums and GPG signatures is performed automatically for you.

If you want to upgrade manually, download the updated package from one 
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".  A list of
FTP mirrors can be obtained from:

  http://www.mandrakesecure.net/en/ftp.php

Please verify the update prior to upgrading to ensure the integrity of
the downloaded package.  You can do this with the command:

  rpm --checksig <filename>

All packages are signed by MandrakeSoft for security.  You can obtain
the GPG public key of the Mandrake Linux Security Team from:

  https://www.mandrakesecure.net/RPM-GPG-KEYS

Please be aware that sometimes it takes the mirrors a few hours to 
update.

You can view other update advisories for Mandrake Linux at:

  http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that
anyone can subscribe to.  Information on these lists can be obtained by
visiting:

  http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

  security@linux-mandrake.com
______________________________________________________________________

Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security@linux-mandrake.com>