dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


Mandrake Linux Advisory: openssh

Sep 17, 2003, 20:07 (0 Talkback[s])

Mandrake Linux Security Update Advisory


Package name: openssh
Advisory ID: MDKSA-2003:090-1
Date: September 17th, 2003
Original Advisory Date: September 16th, 2003
Affected versions: 8.2, 9.0, 9.1, Corporate Server 2.1, Multi Network Firewall 8.2

Problem Description:

A buffer management error was discovered in all versions of openssh prior to version 3.7. According to the OpenSSH team's advisory: "It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively." There have also been reports of an exploit in the wild.

MandrakeSoft encourages all users t
o upgrade to these patched openssh packages immediately and to disable sshd until you are able to upgrade if at all possible.

Update:

The OpenSSH developers discovered more, similar, problems and revised the patch to correct these issues. These new packages have the latest patch fix applied.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0695
http://www.kb.cert.org/vuls/id/333628
http://www.openssh.com/txt/buffer.adv


Updated Packages:

Corporate Server 2.1:
e4dd6a2be580feeceddb7bf702646992 corporate/2.1/RPMS/openssh-3.6.1p2-1.2.90mdk.i586.rpm
b643425ed773606865f31797db73b6d5 corporate/2.1/RPMS/openssh-askpass-3.6.1p2-1.2.90mdk.i586.rpm
bf403b678dd74c14c489bf5a32939e80 corporate/2.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.90mdk.i586.rpm
c4ec1f56320d69a37455d4f74da30d2d corporate/2.1/RPMS/openssh-clients-3.6.1p2-1.2.90mdk.i586.rpm
0252fc0a7273c7c2ebbe4ae92fe492c6 corporate/2.1/RPMS/openssh-server-3.6.1p2-1.2.90mdk.i586.rpm
8909a7349c3e18993784900e1c501dc8 corporate/2.1/SRPMS/openssh-3.6.1p2-1.2.90mdk.src.rpm

Corporate Server 2.1/x86_64:
7a297d5ad1cf8f266a7045e5ed6407b4 x86_64/corporate/2.1/RPMS/openssh-3.6.1p2-1.2.90mdk.x86_64.rpm
0e1047d7ac87e4cb2fc83f51156f89e8 x86_64/corporate/2.1/RPMS/openssh-askpass-3.6.1p2-1.2.90mdk.x86_64.rpm
09592be1376bff2acb58577eb22927e5 x86_64/corporate/2.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.90mdk.x86_64.rpm
cb39634d5cb6811a53e833a566dca625 x86_64/corporate/2.1/RPMS/openssh-clients-3.6.1p2-1.2.90mdk.x86_64.rpm
2e49b64404318ee3c10f7088781f36da x86_64/corporate/2.1/RPMS/openssh-server-3.6.1p2-1.2.90mdk.x86_64.rpm
8909a7349c3e18993784900e1c501dc8 x86_64/corporate/2.1/SRPMS/openssh-3.6.1p2-1.2.90mdk.src.rpm

Mandrake Linux 8.2:
862ccaea668653af1dd98d4f4cba388e 8.2/RPMS/openssh-3.6.1p2-1.2.82mdk.i586.rpm
abb351c902abd9bcfc7eefd0d8e56b43 8.2/RPMS/openssh-askpass-3.6.1p2-1.2.82mdk.i586.rpm
614a6bd4680be732689f5bd1e791a351 8.2/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.82mdk.i586.rpm
baa534caf5c7121741a7089e11cd169e 8.2/RPMS/openssh-clients-3.6.1p2-1.2.82mdk.i586.rpm
6f0b03ff0dd99857159177d3e797e916 8.2/RPMS/openssh-server-3.6.1p2-1.2.82mdk.i586.rpm
d6fd51341f521dc7fc2086915dcaec20 8.2/SRPMS/openssh-3.6.1p2-1.2.82mdk.src.rpm

Mandrake Linux 8.2/PPC:
c453de5cac92707c112c9245663fd25c ppc/8.2/RPMS/openssh-3.6.1p2-1.2.82mdk.ppc.rpm
48211a23e464b38ebd4e7deed7347f48 ppc/8.2/RPMS/openssh-askpass-3.6.1p2-1.2.82mdk.ppc.rpm
77d27118abff6a1d6c0f57c167fefb52 ppc/8.2/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.82mdk.ppc.rpm
b58b03854614f14c861f42121d165a2b ppc/8.2/RPMS/openssh-clients-3.6.1p2-1.2.82mdk.ppc.rpm
9c477dda47eab7cad24839d0ea43e6a4 ppc/8.2/RPMS/openssh-server-3.6.1p2-1.2.82mdk.ppc.rpm
d6fd51341f521dc7fc2086915dcaec20 ppc/8.2/SRPMS/openssh-3.6.1p2-1.2.82mdk.src.rpm

Mandrake Linux 9.0:
e4dd6a2be580feeceddb7bf702646992 9.0/RPMS/openssh-3.6.1p2-1.2.90mdk.i586.rpm
b643425ed773606865f31797db73b6d5 9.0/RPMS/openssh-askpass-3.6.1p2-1.2.90mdk.i586.rpm
bf403b678dd74c14c489bf5a32939e80 9.0/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.90mdk.i586.rpm
c4ec1f56320d69a37455d4f74da30d2d 9.0/RPMS/openssh-clients-3.6.1p2-1.2.90mdk.i586.rpm
0252fc0a7273c7c2ebbe4ae92fe492c6 9.0/RPMS/openssh-server-3.6.1p2-1.2.90mdk.i586.rpm
8909a7349c3e18993784900e1c501dc8 9.0/SRPMS/openssh-3.6.1p2-1.2.90mdk.src.rpm

Mandrake Linux 9.1:
2f657dd739f51adad400b75e627db53a 9.1/RPMS/openssh-3.6.1p2-1.2.91mdk.i586.rpm
2284741fdae6b3809b85f1f193dc9c7b 9.1/RPMS/openssh-askpass-3.6.1p2-1.2.91mdk.i586.rpm
3462362cb6364701bfe536541f24d349 9.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.91mdk.i586.rpm
5a8b2d3763dfc4dd77c7705401b4155e 9.1/RPMS/openssh-clients-3.6.1p2-1.2.91mdk.i586.rpm
508f52a1bc06e57b5176c31dc7d1674b 9.1/RPMS/openssh-server-3.6.1p2-1.2.91mdk.i586.rpm
4d9c124f212d3ad840bc19f6579784fc 9.1/SRPMS/openssh-3.6.1p2-1.2.91mdk.src.rpm

Mandrake Linux 9.1/PPC:
bf558d8fba0c8f779f73e8a3f75956d8 ppc/9.1/RPMS/openssh-3.6.1p2-1.2.91mdk.ppc.rpm
ca0ff77a847d5485cf03e4abb1fc7a88 ppc/9.1/RPMS/openssh-askpass-3.6.1p2-1.2.91mdk.ppc.rpm
4c45f30751958b8347713b818a55caf1 ppc/9.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.91mdk.ppc.rpm
e7912e06b6bf2579badac32f583d8511 ppc/9.1/RPMS/openssh-clients-3.6.1p2-1.2.91mdk.ppc.rpm
809424b2dd19bd2f654fdf4743fc5a8b ppc/9.1/RPMS/openssh-server-3.6.1p2-1.2.91mdk.ppc.rpm
4d9c124f212d3ad840bc19f6579784fc ppc/9.1/SRPMS/openssh-3.6.1p2-1.2.91mdk.src.rpm

Multi Network Firewall 8.2:
862ccaea668653af1dd98d4f4cba388e mnf8.2/RPMS/openssh-3.6.1p2-1.2.82mdk.i586.rpm
baa534caf5c7121741a7089e11cd169e mnf8.2/RPMS/openssh-clients-3.6.1p2-1.2.82mdk.i586.rpm
6f0b03ff0dd99857159177d3e797e916 mnf8.2/RPMS/openssh-server-3.6.1p2-1.2.82mdk.i586.rpm
d6fd51341f521dc7fc2086915dcaec20 mnf8.2/SRPMS/openssh-3.6.1p2-1.2.82mdk.src.rpm


Bug IDs fixed (see https://qa.mandrakesoft.com for more information):


To upgrade automatically, use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team by executing:

gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to update.

You can view other update advisories for Mandrake Linux at:

http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team