Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


Trustix Secure Linux Security Advisory: OpenSSH

Dec 20, 2001, 16:43 (0 Talkback[s])
From:   Trustix Secure Linux Advisor <<A HREF="mailto:tsl@trustix.com">tsl@trustix.com>
Subject:        TSLSA-2001-0030 - openssh
Date:   20 Dec 2001 15:20:07 +0100      

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2001-0030

Package name:      OpenSSH
Severity:          Local root exploit if UseLogin option enabled
Date:              2001-12-19
Affected versions: TSL 1.01, 1.1, 1.2, 1.5

- --------------------------------------------------------------------------

Problem description:
  A malicious local user can pass environment variables to the login
  process if the administrator enables the UseLogin option.  This can
  be abused to bypass authentication and gain root access.
  Note that this option is not enabled by default on TSL.


Action:
  We recommend that all systems with this package installed are upgraded.


Location:
  All TSL updates are available from
  URI:http://www.trustix.net/pub/Trustix/updates/
  URI:ftp://ftp.trustix.net/pub/Trustix/updates/


Automatic updates:
  Users of the SWUP tool, can enjoy having updates automatically
  installed using 'swup --upgrade'.

  Get SWUP from:
  URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/


Questions?
  Check out our mailing lists:
  URI:http://www.trustix.net/support/


Verification:
  This advisory along with all TSL packages are signed with the TSL sign key.
  This key available from:
  URI:http://www.trustix.net/TSL-GPG-KEY

  The advisory itself is available from the errata pages at
  URI:http://www.trustix.net/errata/trustix-1.2/
  URI:http://www.trustix.net/errata/trustix-1.5/
  or directly at
  URI:http://www.trustix.net/errata/misc/2001/TSL-2001-0030-openssh.asc.txt

MD5sums of the packages:
- --------------------------------------------------------------------------
71f9d80630a4c08f54aacfc49e0cfec7  ./1.5/SRPMS/openssh-3.0.2p1-1tr.src.rpm
55096b921e28b5af55785b8ba5535dc3  ./1.5/RPMS/openssh-server-3.0.2p1-1tr.i586.rpm
9b657aff2f8e0ac8fa5cbb46346bc72b  ./1.5/RPMS/openssh-clients-3.0.2p1-1tr.i586.rpm
6bb5b4e99d2e413ad88bff4a4e551c8b  ./1.5/RPMS/openssh-3.0.2p1-1tr.i586.rpm
71f9d80630a4c08f54aacfc49e0cfec7  ./1.2/SRPMS/openssh-3.0.2p1-1tr.src.rpm
16b64002dc47121a50eb744762db7f4b  ./1.2/RPMS/openssh-server-3.0.2p1-1tr.i586.rpm
e0abacbfe2eb860e75b9408873338953  ./1.2/RPMS/openssh-clients-3.0.2p1-1tr.i586.rpm
459b0715a16d4043211b1e4ad46acddf  ./1.2/RPMS/openssh-3.0.2p1-1tr.i586.rpm
71f9d80630a4c08f54aacfc49e0cfec7  ./1.1/SRPMS/openssh-3.0.2p1-1tr.src.rpm
8dc43857ecc5af0fc9459639a3b9d5c8  ./1.1/RPMS/openssh-server-3.0.2p1-1tr.i586.rpm
b611b85e0c30ecd5333ae30dd225d189  ./1.1/RPMS/openssh-clients-3.0.2p1-1tr.i586.rpm
a40338ee7d06e2eb9d7c73e4787e7dd9  ./1.1/RPMS/openssh-3.0.2p1-1tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team