[ Thanks to Andreas Hasenack for this
announcement. ]
CONECTIVA LINUX SECURITY ANNOUNCEMENT
PACKAGE: openssh
SUMMARY : “UseLogin” option allows remote execution
of commands as root
DATE : 2000-06-10
AFFECTED CONECTIVA VERSIONS : 5.0
DESCRIPTION
Openssh’s default installation doesn’t have this problem. If
the “UseLogin” option is used, then the ssh server won’t drop its
root privileges, instead relying on the login program to do so. But
if the user specifies a command to be executed during the ssh
session, the login program won’t be used and the program will be
run with full root privileges.
SOLUTION
Users with the “UseLogin” option set to “no” in
/etc/ssh/sshd_config are not vulnerable. If, however, this option
is needed, then openssh MUST be upgraded IMMEDIATELY.
Updated packages for openssl are also provided to satisfy openssh’s
dependencies.
DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-askpass-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-askpass-gnome-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-clients-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-server-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssl-0.9.5a-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssl-devel-0.9.5a-1cl.i386.rpm
DIRECT LINK TO SOURCE PACKAGES
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/openssh-2.1.1p1-1cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/openssl-0.9.5a-1cl.src.rpm
All packages are signed with Conectiva’s PGP key. The key can be
obtained at http://www.conectiva.com.br/conectiva/contato.html
subscribe: atualizacoes-anuncio-subscribe@bazar.conectiva.com.br
unsubscribe: atualizacoes-anuncio-unsubscribe@bazar.conectiva.com.br