SuSE Security Announcement: openssh/ssh
Nov 26, 2000, 17:48 (0 Talkback[s])
Date: Fri, 24 Nov 2000 16:51:38 +0100 (MET)
From: Roman Drahtmueller firstname.lastname@example.org
Subject: [suse-security-announce] SuSE Security Announcement: openssh/ssh
SuSE Security Announcement
Date: Friday, November 24th, 2000 16:30 MET
Affected SuSE versions: 6.4, 7.0
Vulnerability Type: clientside remote vulnerability
Severity (1-10): 6
SuSE default package: yes
Other affected systems: systems w/ openssh versions before 2.3.0
Content of this advisory:
1) security vulnerability resolved: openssh
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
1) problem description, brief discussion, solution, upgrade information
openssh is an implementation of the secure shell protocol, available under
the BSD license, primarily maintained by the OpenBSD Project.
Many vulnerabilities have been found in the openssh package, along with
a compilation problem in the openssh and ssh packages in the SuSE-7.0
distribution: An openssh client (the ssh program) can accept X11- or
ssh-agent forwarding requests even though these forwarding capabilities
have not been requested by the client side after successful authentication.
Using these weaknesses, an attacker could gain access to the
authentication agent which may hold multiple user-owned authentification
identities, or to the X-server on the client side as if requested by the
user. These problems have been found/reported by Markus Friedl
and Jacob Langseth.
A problem in the configure script in both the openssh and ssh package
on the SuSE-7.0 distribution caused the sshd programs to not be linked
against the tcp-wrapper library. By consequence, access rules for the sshd
server-side service as configured in /etc/hosts.allow and /etc/hosts.deny
were ignored. This has been reported to us by Lutz Pressle.
We thank these individuals for their contribution.
Sebastian Krahmer found a small tmp file handling
problem in the perl script `make-ssh-known-hosts. A (local) attacker
could trick the perl program to follow symbolic links and thereby
overwriting files with the privileges of the user calling
The solution for the first three problems (agent+X11-forwarding, missing
libwrap support) is an upgrade to a newer package. The tmp file problem
can be easily solved by hand. Please see the special install instructions
Note: Upon public request, we also provide update packages for the
SuSE-6.3 Intel distribution, even though the openssh packages
was not included in this distribution.
special install instructions:
To find out which package (ssh or openssh) you use, please use the command
`rpm -qf /usr/bin/ssh.
Please follow the instructions below to download and install
the update package. Afterwards, restart the sshd daemon:
before SuSE-7.0 (excluding 7.0):
In the file /usr/bin/make-ssh-known-hosts, please change the line
(around line 102)
$private_ssh_known_hosts = "/tmp/ssh_known_hosts$$";
$private_ssh_known_hosts = "~/ssh_known_hosts$$";
and you are done.
SuSE-7.0: Please follow the instructions below to download
and install the update package. Afterwards, restart the sshd daemon:
Please choose the update package(s) for your distribution from the URLs
listed below and download the necessary rpm files. Then, install the
package using the command `rpm -Uhv file.rpm. rpm packages have an
internal md5 checksum that protects against file corruption. You can
verify this checksum using the command (independently from the md5
`rpm --checksig --nogpg file.rpm',
The md5 sums under each package are to prove the package authenticity,
independently from the md5 checksums in the rpm package format.
i386 Intel Platform:
AXP Alpha Platform:
PPC Power PC Platform:
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
In my message (Subject: "SuSE: miscellaneous"), dated Wed, 15 Nov 2000,
concerning the paragraph about runtime linking problems in gs
(GhostScript) , I have stated that the problem will be fixed in future
versions of the SuSE distribution. This does not touch the fact that we
will of course provide fixes for the older distributions.
The packages (version 4.30) are on our ftp server and can be downloaded.
The SuSE security announcement is pending.
Michal Zalewski has reported a buffer overflow
in Netscape's html parser code. A specially crafted html document may
cause the browser to execute arbitrary code as the user calling the
netscape program. The packages are available for download on ftp.suse.com.
A security announcement is on the way to address the issue.
- gs (ghostscript)
Two vulnerabilities have been found in the ghostscript package as shipped
with SuSE distributions: Insecure temporary file handling and a linker
problem that could make gs runtime-link against ./libc.so.6.
We're currently working on update packages. In the meanwhile, it is
advised to not run gs or applications that call gs from within a world-
The text editor jed saves files in /tmp upon emergency termination in an
insecure way. This problem was fixed with the release of SuSE-6.3 after
a SuSE-internal code audit by Thomas Biege email@example.com. The
information about the existence of this bug was not communicated to the
public because the editor was not very widely used at that time.
We will provide update packages for the SuSE releases 6.0, 6.1 and 6.2
3) standard appendix:
SuSE runs two security mailing lists to which any interested party may
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
For general information or the frequently asked questions (faq)
send mail to:
SuSE's security contact is firstname.lastname@example.org.