Date: Tue, 27 Mar 2001 15:24:00 -0500
From: bugzilla@REDHAT.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: [RHSA-2001:033-04] Updated openssh packages available
Red Hat, Inc. Red Hat Security Advisory
Synopsis: Updated openssh packages available
Advisory ID: RHSA-2001:033-04
Issue date: 2001-03-23
Updated on: 2001-03-27
Product: Red Hat Linux
Keywords: openssh passive analysis
Cross references:
Obsoletes: RHBA-2000-076 RHSA-2000-111
1. Topic:
Updated openssh packages are now available for Red Hat Linux 7.
These packages reduce the amount of information a passive attacker
can deduce from observing an encrypted session.
2. Relevant releases/architectures:
Red Hat Linux 7.0 – alpha, i386
3. Problem description:
Weaknesses in the SSH protocols can be used by a passive
attacker to deduce information about passwords entered over an
encrypted connection. This information can be used to reduce the
number of possible solutions which need to be tested to perform a
brute-force attack. This reduces the amount of time and resources
required to mount such an attack successfully.
OpenSSH 2.5.1 and 2.5.2 include modifications which, while not
completely resolving this problem, reduce the risks by changing
certain server behaviors to make passive analysis more
difficult.
4. Solution:
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade.
Only those RPMs which are currently installed will be updated.
Those RPMs which are not installed but included in the list will
not be updated. Note that you can also use wildcards (*.rpm) if
your current directly *only* contains the desired RPMs.
Please note that this update is also available via Red Hat
Network. Many people find this an easier way to apply updates. To
use Red Hat Network, launch the Red Hat Update Agent with the
following command:
up2date
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla
for more info):
30293 – Where is sftp?
32977 – ssh unable to connect to certain servers using v2
6. RPMs required:
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/SRPMS/openssh-2.5.2p2-1.7.src.rpm
alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/openssh-2.5.2p2-1.7.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/openssh-askpass-2.5.2p2-1.7.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/openssh-askpass-gnome-2.5.2p2-1.7.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/openssh-clients-2.5.2p2-1.7.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/openssh-server-2.5.2p2-1.7.alpha.rpm
i386:
ftp://updates.redhat.com/7.0/en/os/i386/openssh-2.5.2p2-1.7.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openssh-askpass-2.5.2p2-1.7.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openssh-askpass-gnome-2.5.2p2-1.7.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openssh-clients-2.5.2p2-1.7.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openssh-server-2.5.2p2-1.7.i386.rpm
7. Verification:
MD5 sum Package Name
2249d15ecdca22482c03e8059dd8b31d
7.0/SRPMS/openssh-2.5.2p2-1.7.src.rpm
2c1705e525c6f07d611520374ddfe451
7.0/alpha/openssh-2.5.2p2-1.7.alpha.rpm
da69ea875b494a81b91caa65bad4b3b0
7.0/alpha/openssh-askpass-2.5.2p2-1.7.alpha.rpm
52f445b91c77c4aa1e63624aaca56a2a
7.0/alpha/openssh-askpass-gnome-2.5.2p2-1.7.alpha.rpm
997f39e0755a36d7633e6ddbde8b5e5d
7.0/alpha/openssh-clients-2.5.2p2-1.7.alpha.rpm
df2d8919c4c2ff8b0a57a4826c20e764
7.0/alpha/openssh-server-2.5.2p2-1.7.alpha.rpm
59fe7436fb6736b7948bfaec706c5628
7.0/i386/openssh-2.5.2p2-1.7.i386.rpm
f80b1952bd5caf65d0e724a26b421635
7.0/i386/openssh-askpass-2.5.2p2-1.7.i386.rpm
04723384928efd09e4f96ef142409135
7.0/i386/openssh-askpass-gnome-2.5.2p2-1.7.i386.rpm
8e387b44bd433e71c1caecb899a680f4
7.0/i386/openssh-clients-2.5.2p2-1.7.i386.rpm
99a219f6c0708203f4982a4998b4e401
7.0/i386/openssh-server-2.5.2p2-1.7.i386.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our
key is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm –checksig <filename>
If you only wish to verify that each package has not been
corrupted or tampered with, examine only the md5sum with the
following command:
rpm –checksig –nogpg <filename>
8. References:
http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=98525792903526&w=2
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=98527416918430&w=2
Copyright(c) 2000, 2001 Red Hat, Inc.
Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.
LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.