Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


SUSE LINUX Advisories: lsh, mysql

Oct 01, 2003, 17:59 (0 Talkback[s])

SuSE Security Announcement

Package: lsh
Announcement-ID: SuSE-SA:2003:041
Date: Wed Oct 1 10:24:45 CEST 2003
Affected products: 8.0, 8.1, 8.2
Vulnerability Type: remote code execution
Severity (1-10): 5
SuSE default package: yes
Cross References: -

Content of this advisory:

  1. security vulnerability resolved: Buffer overflow in lsh. problem description, discussion, solution and upgrade information
  2. pending vulnerabilities, solutions, workarounds:
    • node
    • proftp
    • OpenSSL
  3. standard appendix (further information)

1) problem description, brief discussion, solution, upgrade information

LSH is the GNU implementation of SSH and can be seen as an alternative to OpenSSH.
Recently various remotely exploitable buffer overflows have been reported in LSH. These allow attackers to execute arbitrary code as root on un-patched systems.
LSH is not installed by default on SuSE Linux. An update is therefore only recommended if you run LSH.
Maintained SuSE products are not affected by this bug as LSH is not packaged on maintained products such as the Enterprise Server.

For the updates to take effect execute the following command as root:

/usr/sbin/rclshd restart

Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update.
Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web.

i386 Intel Platform:
SuSE-8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/lsh-1.5-114.i586.rpm 798f52402cda6c7e1733aed15bf0d9cb
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/lsh-1.5-114.i586.patch.rpm 9308cdb133d2311a9dc4a10bbf613501
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/lsh-1.5-114.src.rpm 1e1b5beac002cf51d1eea0277934a69d

SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/lsh-1.4.2-73.i586.rpm b5ff8ba104623fe9a77705154aad92f7
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/lsh-1.4.2-73.i586.patch.rpm 6341acd3fe513921b7123d7c1d98cc43
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/lsh-1.4.2-73.src.rpm 0a2b95e911f8760009ad0d5b2fd7618e

SuSE-8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec3/lsh-1.3.5-188.i386.rpm bccfd85985bab8a324b25c1b2443bf2b
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec3/lsh-1.3.5-188.i386.patch.rpm 8a232720cb0a4b35d0899e9c6a4e80ae
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/lsh-1.3.5-188.src.rpm 8e3e30b134b12400559152bb5c53d0f8


2) Pending vulnerabilities in SuSE Distributions and Workarounds:

  • node A format string vulnerability has been fixed in the new node packages available on our ftp servers. An update is recommended if you use this package.
  • proftp A off-by-one buffer overflow has been fixed in the proftp packages for SuSE Linux 7.2 and 7.3. Note that the bug that was fixed is different from the 'ASCII File Transfer Buffer Overrun Vulnerability' (CAN-2003-0831). The proftp packages shipped by SuSE are not affected by CAN-2003-0831.
  • OpenSSL Critical bugs within the ASN.1 parsing routines have been reported recently. We are currently building new packages and will notify you in a separate advisory when the packages are available.

3) standard appendix: authenticity verification, additional information

  • Package authenticity verification:

SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package:

  1. md5sums as provided in the (cryptographically signed) announcement.
  2. using the internal gpg signatures of the rpm package.
  3. execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless.
  4. rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites:
    1. gpg is installed
    2. The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
      • SuSE runs two security mailing lists to which any interested party may subscribe:
  • general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to

    <suse-security-subscribe@suse.com>.

suse-security-announce@suse.com

For general information or the frequently asked questions (faq) send mail to:

<suse-security-info@suse.com> or
<suse-security-faq@suse.com> respectively. SuSE's security contact is <security@suse.com> or <security@suse.de>. The <security@suse.de> public key is listed below.

The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text.
SuSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>

SuSE Security Announcement

Package: mysql
Announcement-ID: SuSE-SA:2003:042
Date: Wed Oct 1 12:12:38 CEST 2003
Affected products: 7.2, 7.3, 8.0, 8.1, 8.2
SuSE Linux Connectivity Server
SuSE Linux Enterprise Server 7, 8
SuSE Linux Office Server
UnitedLinux 1.0
Vulnerability Type: remote code execution
Severity (1-10): 5
SuSE default package: no
Cross References: -

Content of this advisory:

  1. security vulnerability resolved: Buffer overflow in mysql. problem description, discussion, solution and upgrade information
  2. pending vulnerabilities, solutions, workarounds:
    • OpenSSL
  3. standard appendix (further information)

1) problem description, brief discussion, solution, upgrade information

A remotely exploitable buffer overflow within the authentication code of MySQL has been reported. This allows remote attackers who have access to the 'User' table to execute arbitrary commands as mysql user. The list of affected packages is as follows: mysql, mysql-client, mysql-shared, mysql-bench, mysql-devel, mysql-Max. In this advisory the MD5 sums for the mysql, mysql-shared and mysql-devel packages are listed.

To be sure the update takes effect you have to restart the MySQL server by executing the following command as root:

/usr/sbin/rcmysql restart

Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update.
Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web.

i386 Intel Platform:

SuSE-8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mysql-3.23.55-22.i586.rpm 41e8d3781aeedd2e48837293d261f9e2
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mysql-shared-3.23.55-22.i586.rpm b75bdea7f484305c62415cd7412151af
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mysql-devel-3.23.55-22.i586.rpm 264920dc6e1def4e26253cc3d82f2fc7
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mysql-3.23.55-22.i586.patch.rpm 82bac86826eb08ccf8c3204a792e0df1
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mysql-shared-3.23.55-22.i586.patch.rpm ea14dd33b2e390009513209e71229cd3
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mysql-devel-3.23.55-22.i586.patch.rpm b8e64deab45bdd05657a5447b4e279eb
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/mysql-3.23.55-22.src.rpm fd33faf5fe7efc9f9c5871db37ea88b4

SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mysql-3.23.52-106.i586.rpm e7488a05d07282bbd8317f834c24f0d4
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mysql-shared-3.23.52-106.i586.rpm e6db8d49932368487a334d803572ed4e
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mysql-devel-3.23.52-106.i586.rpm 9c6c4ab2b8a461ca391a2453d05d9b71
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mysql-3.23.52-106.i586.patch.rpm 37960d363c09a1123c25b11d6a753968
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mysql-shared-3.23.52-106.i586.patch.rpm 77d66503d21447bd1dd8339463c7b25b
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mysql-devel-3.23.52-106.i586.patch.rpm c747e07c307e9619cf04a3e2c8cc369f
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/mysql-3.23.52-106.src.rpm 952c96bc22740b252e151c27537e5c1b

SuSE-8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap2/mysql-3.23.48-81.i386.rpm 7126396c99deb931dda869fdc8e5e6ef
ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap2/mysql-shared-3.23.48-81.i386.rpm 6cfa50d58f7b23201f2056d6097c4161
ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap3/mysql-devel-3.23.48-81.i386.rpm 23d978a491c8a0a0035142276ae9c806
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap2/mysql-3.23.48-81.i386.patch.rpm 49833c754e880fba15e579ad32d6861c
ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap2/mysql-shared-3.23.48-81.i386.patch.rpm 3eba782210bf2e3a714616571bea0066
ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap3/mysql-devel-3.23.48-81.i386.patch.rpm 9d6d58e8da20ea06bfd3207c44925190
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/mysql-3.23.48-81.src.rpm bc8db10701bdaee4da9776a6dc49fc29

SuSE-7.3:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/ap3/mysql-3.23.44-28.i386.rpm f3171ff82e6d3fbf9913cfb58d984602
ftp://ftp.suse.com/pub/suse/i386/update/7.3/ap2/mysql-shared-3.23.44-28.i386.rpm db2fe45728f6073f15c6440538926828
ftp://ftp.suse.com/pub/suse/i386/update/7.3/ap3/mysql-devel-3.23.44-28.i386.rpm 278a0338ed3a6ae65c7328f422f7abfc
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/mysql-3.23.44-28.src.rpm c1076bca4b5a7d750f72811c097e92fa

SuSE-7.2:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/ap3/mysql-3.23.37-62.i386.rpm 2b5af68cb036119322a8a666fa68046b
ftp://ftp.suse.com/pub/suse/i386/update/7.2/ap2/mysql-shared-3.23.37-62.i386.rpm d1f95967eb77ff7b8761ec27795cb740
ftp://ftp.suse.com/pub/suse/i386/update/7.2/ap3/mysql-devel-3.23.37-62.i386.rpm e8cd7dda9473259239458b5e008c6924
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/mysql-3.23.37-62.src.rpm e3c0693bda7d898ffc5bfb8f23478e7e

Sparc Platform:

SuSE-7.3:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/ap3/mysql-3.23.44-24.sparc.rpm 52a66dfd5f2f330240dab5e59c412ef7
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/ap2/mysql-shared-3.23.44-24.sparc.rpm 6060be5ff51994e0ab73e8afc7ba2f26
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/ap3/mysql-devel-3.23.44-24.sparc.rpm 802c951032a42b1b21f51ab53af502c9
source rpm(s):
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/mysql-3.23.44-24.src.rpm 350c8fcc5522c08ca9096803cc34dd42

PPC Power PC Platform:

SuSE-7.3:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/ap3/mysql-3.23.44-32.ppc.rpm 4dfbca3cbc9e9a3f8f36ab19a7bb4093
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/ap2/mysql-shared-3.23.44-32.ppc.rpm 068cbab05a37e74b9f57abcae7eb6b64
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/ap3/mysql-devel-3.23.44-32.ppc.rpm c897ad4fa5a724c11efabbecfdd929c4
source rpm(s):
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/mysql-3.23.44-32.src.rpm aa219acd13b73c45e2b418e8df03a1ee


2) Pending vulnerabilities in SuSE Distributions and Workarounds:

  • OpenSSL Critical bugs within the ASN.1 parsing routines have been reported recently. We are currently building new packages and will notify you in a separate advisory when the packages are available.

3) standard appendix: authenticity verification, additional information

  • Package authenticity verification:

SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package:

  1. md5sums as provided in the (cryptographically signed) announcement.
  2. using the internal gpg signatures of the rpm package.
  3. execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless.
  4. rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites:
    1. gpg is installed
    2. The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
      • SuSE runs two security mailing lists to which any interested party may subscribe:
  • general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to

    <suse-security-subscribe@suse.com>.

suse-security-announce@suse.com

For general information or the frequently asked questions (faq) send mail to:

<suse-security-info@suse.com> or <suse-security-faq@suse.com> respectively. SuSE's security contact is <security@suse.com> or <security@suse.de>. The <security@suse.de> public key is listed below.

The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text.
SuSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>