|
| Current Newswire:
Progeny Security Advisory: OpenSSH subject to traffic analysisApr 13, 2001, 09:30 (0 Talkback[s])Date: Thu, 12 Apr 2001 14:03:53 -0500 From: Progeny Security Team <security@PROGENY.COM> Subject: PROGENY-SA-2001-04: OpenSSH subject to traffic analysis PROGENY LINUX SYSTEMS -- SECURITY ADVISORY PROGENY-SA-2001-04 Topic: OpenSSH subject to traffic analysis Category: net Module: openssh Announced: 2001-04-12 Credits: Solar Designer <solar@openwall.com> BugTraq Mailing List <bugtraq@securityfocus.com> Affects: Progeny Debian (openssh prior to 2.5.2p2-0progeny1) Debian GNU/Linux (openssh prior to 2.5.2) Vendor-Status: New Version Released (openssh_2.5.2p2-0progeny1) Corrected: 2001-04-12 Progeny Only: NO $Id: PROGENY-SA-2001-04,v 1.8 2001/04/12 18:02:02 jdaily Exp $ SYNOPSIS A number of security problems existed in previous versions of OpenSSH which would allow an attacker obtain sensitive information by passively monitoring the encrypted SSH (Secure Shell) sessions. PROBLEM DESCRIPTION Solar Designer has conducted a very thorough analysis of several weaknesses in implementations of the SSH protocol. These weaknesses allow for an attacker to significantly speed up brute force attacks on passwords. Solar Designer's complete analysis can be found at the following page: http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt In February of 2001, Core SDI released a security announcement which described ways in which would allow an attacker to compromise the session of an SSH protocol 1.5 session. The detailed report is at the following URL: http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm IMPACT Shortcomings in the OpenSSH implementation of the SSH protocol allow malicious third parties to compromise sensitive data. SOLUTION Upgrade to a fixed version of OpenSSH. You may use Progeny's OpenSSH package, version openssh_2.5.2p2-0progeny1, for convenience. WORKAROUND There is no known satisfactory work around at this time. UPDATING VIA APT-GET
deb http://archive.progeny.com/progeny updates/newton/ 2. Update your cache of available packages for apt(8). Example: # apt-get update 3. Using apt(8), install the new ssh package. apt(8) will download the update, verify it's integrity with md5, and then install the package on your system with dpkg(8). Example: # apt-get install ssh UPDATING VIA DPKG
http://archive.progeny.com/pub/progeny/updates/newton/ Filename MD5 Checksum http://ssh_2.5.2p2-0progeny1_i386.deb c64fdf411514850f3854a6395c5e178c Example: # wget http://archive.progeny.com/progeny/updates/newton/ssh_2.5.2p2-0progeny1_i386.deb 2. Use the md5sum command on the retrieved file to verify that it matches the md5sum provided in this advisory: Example: # md5sum ssh_2.5.2p2-0progeny1_i386.deb 3. Then install the replacement package(s) using the dpkg command. Example: # dpkg --install ssh_2.5.2p2-0progeny1_i386.deb MORE INFORMATION There is no more information available at this time. pub 1024D/F92D4D1F 2001-04-04 Progeny Security Team <security@progeny.com> |