SuSE Linux Advisory: openssh

SuSE Security Announcement

Content of this advisory:

1. security vulnerability resolved: openssh problem description,
   discussion, solution and upgrade information
2. pending vulnerabilities, solutions, workarounds:
   • mysql
3. standard appendix (further information)

1) problem description, brief discussion, solution, upgrade
information

The openssh package is the most widely used implementation of
the secure shell protocol family (ssh). It provides a set of
network connectivity tools for remote (shell) login, designed to
substitute the traditional BSD-style r-protocols (rsh, rlogin).
openssh has various authentification mechanisms and many other
features such as TCP connection and X11 display forwarding over the
fully encrypted network connection as well as file transfer
facilities.

A programming error has been found in code responsible for
buffer management. If exploited by a (remote) attacker, the error
may lead to unauthorized access to the system, allowing the
execution of arbitrary commands.
The error is known as the buffer_append_space()-bug and is assigned
the Common Vulnerabilities and Exposures (CVE) name
CAN-2003-0693.

At the time of writing this announcement, it is unclear if the
buffer_append_space()-bug is exploitable. However, an increasing
amount of TCP connection attempts to port 22 (the ssh default port)
has been observed in the internet during the past days, which may
indicate that there exists an exploit for the error.

Please note that we have disabled the Privilege Separation
feature in the ssh daemon (sshd) with this update. The PrivSep
feature is designed to have parts of the ssh daemon’s work running
under lowered privileges, thereby limiting the effect of a possible
vulnerability in the code. The PrivSep feature is turned on/off by
the UsePrivilegeSeparation keyword in sshd’s configuration file
/etc/ssh/sshd_config. The feature is held responsible for
malfunctions in PAM (Pluggable Authentification Modules). The
update mechanism will not overwrite configuration files that have
been altered after the package installation.

SPECIAL INSTALL INSTRUCTIONS:

After the update has been successfully applied, the ssh daemon
(sshd) must be restarted for update package to become effective. To
restart the ssh daemon after the update, please run the following
command as root:

rcsshd restart

Please download the update package for your distribution and
verify its integrity by the methods listed in section 3) of this
announcement. Then, install the package using the command “rpm -Fhv
file.rpm” to apply the update.
Our maintenance customers are being notified individually. The
packages are being offered to install from the maintenance web.

Intel i386 Platform:

SuSE-8.2:

ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssh-3.5p1-106.i586.rpm

492d66deaedcfc20c1f0d66e508db790
patch rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssh-3.5p1-106.i586.patch.rpm

c362fedfda79824cb40cd4e5e1055aee
source rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/openssh-3.5p1-106.src.rpm

0381b9b4818f8b669631bcab9be80fb5

SuSE-8.1:

ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssh-3.4p1-214.i586.rpm

dda7728501c8cf17c60eff1862922842
patch rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssh-3.4p1-214.i586.patch.rpm

d02dfc049413b725c4255887487cfa67
source rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/openssh-3.4p1-214.src.rpm

26dd44e9bed7a5ad2d35e56301dc5489

SuSE-8.0:

ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec1/openssh-3.4p1-214.i386.rpm

2361dccd5b0c83178f8d0d5988b3490e
patch rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec1/openssh-3.4p1-214.i386.patch.rpm

5bef6aff5a603e3376a2f907c494ea7e
source rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/openssh-3.4p1-214.src.rpm

203aab39cdb7c5672a82bb07bc4a1f38

SuSE-7.3:

ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec1/openssh-2.9.9p2-155.i386.rpm

1418135ed33e59d1ce37ea135617b5bc
source rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/openssh-2.9.9p2-155.src.rpm

9d0b789127d30cca9f45c7b1f2268673

SuSE-7.2:

ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec1/openssh-2.9.9p2-155.i386.rpm

e807ecd9c4d167e3ef3764c06af1a511
source rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/openssh-2.9.9p2-155.src.rpm

a99aa03ba94f45dd25054b1ab1a962d7

Sparc Platform:

SuSE-7.3:

ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec1/openssh-2.9.9p2-52.sparc.rpm

e4f9b7e8763464d60761faf94b7f80f9
source rpm(s):

ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/openssh-2.9.9p2-52.src.rpm

ca0cbe5b564b03c64458868db369c4de

PPC Power PC Platform:

SuSE-7.3:

ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec1/openssh-2.9.9p2-108.ppc.rpm

0166ec0aec482b687bc2891611ae8ae9
source rpm(s):

ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/openssh-2.9.9p2-108.src.rpm

aed7879361a85f263a1cb3a00de964a1

2) Pending vulnerabilities in SuSE Distributions and
Workarounds:

• A buffer overflow vulnerability has been found in the mysql
  package, an Open Source relational database system. The error may
  allow a remote attacker to execute arbitrary code with the
  privileges of the database process. We are in the process of
  building and testing the update packages and will release them with
  a SuSE Security Announcement as soon as possible.

3) standard appendix: authenticity verification, additional
information

• Package authenticity verification:

SuSE update packages are available on many mirror ftp servers
all over the world. While this service is being considered valuable
and important to the free and open source software community, many
users wish to be sure about the origin of the package and its
content before installing the package. There are two verification
methods that can be used independently from each other to prove the
authenticity of a downloaded file or rpm package:

1. md5sums as provided in the (cryptographically signed)
   announcement.
2. using the internal gpg signatures of the rpm package.
3. execute the command md5sum <name-of-the-file.rpm> after
   you downloaded the file from a SuSE ftp server or its mirrors.
   Then, compare the resulting md5sum with the one that is listed in
   the announcement. Since the announcement containing the checksums
   is cryptographically signed (usually using the key [email protected]), the checksums show
   proof of the authenticity of the package. We disrecommend to
   subscribe to security lists which cause the email message
   containing the announcement to be modified so that the signature
   does not match after transport through the mailing list software.
   Downsides: You must be able to verify the authenticity of the
   announcement in the first place. If RPM packages are being rebuilt
   and a new version of a package is published on the ftp server, all
   md5 sums for the files are useless.
4. rpm package signatures provide an easy way to verify the
   authenticity of an rpm package. Use the command rpm -v –checksig
   <file.rpm> to verify the signature of the package, where
   <file.rpm> is the filename of the rpm package that you have
   downloaded. Of course, package authenticity verification can only
   target an un-installed rpm package file. Prerequisites:
   1. gpg is installed
   2. The package is signed using a certain key. The public part of
      this key must be installed by the gpg program in the directory
      ~/.gnupg/ under the user’s home directory who performs the
      signature verification (usually root). You can import the key that
      is used by SuSE in rpm packages for SuSE Linux by saving this
      announcement to a file (“announcement.txt”) and running the command
      (do “su -” to be root): gpg –batch; gpg < announcement.txt |
      gpg –import SuSE Linux distributions version 7.1 and thereafter
      install the key “[email protected]”
      upon installation or upgrade, provided that the package gpg is
      installed. The file containing the public key is placed at the
      top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de
      .

• SuSE runs two security mailing lists to which any interested
  party may subscribe:

  [email protected]

• general/linux/SuSE security discussion. All SuSE security
  announcements are sent to this list. To subscribe, send an email to

  <[email protected]>.

[email protected]

• SuSE’s announce-only mailing list. Only SuSE’s security
  announcements are sent to this list. To subscribe, send an email to

  <[email protected]>.

For general information or the frequently asked questions (faq)
send mail to:

<[email protected]>
or
<[email protected]>
respectively.

SuSE’s security contact is <[email protected]> or
<[email protected]>. The
<[email protected]>
public key is listed below.

The information in this advisory may be distributed or
reproduced, provided that the advisory is not modified in any way.
In particular, it is desired that the clear-text signature shows
proof of the authenticity of the text.
SuSE Linux AG makes no warranties of any kind whatsoever with
respect to the information contained in this security advisory.

Roman Drahtmueller,
SuSE Security.