Date: Fri, 16 Feb 2001 18:02:43 +0100 (MET)
From: Roman Drahtmueller draht@suse.de
To: suse-security-announce@suse.de
Subject: [suse-security-announce] SuSE Security Announcement: ssh
(SuSE-SA:2001:04)
SuSE Security Announcement
Package: ssh
Announcement-ID: SuSE-SA:2001:04
Date: Friday, February 16th, 2000 18:00 MET
Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0
Vulnerability Type: possible remote root compromise
Severity (1-10): 9
SuSE default package: yes, no (openssh is default after SuSE-6.3)
Other affected systems: Unix systems with sshd running
Content of this advisory:
1) security vulnerability resolved: ssh
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
1) problem description, brief discussion, solution, upgrade
information
SuSE distributions contain the ssh package in the version
1.2.27. No later version is provided because of licensing issues.
SuSE maintains the 1.2.27 version in a patched package. Three new
patches have been added that workaround three independent security
problems in the ssh package:
a) SSHD-1 Logging Vulnerability (discovered and published by
Jose Nazario, Crimelabs). Attackers can remotely brute-force
passwords without getting noticed or logged. In the ssh package
from the SuSE distribution, root login is allowed, as well as
password authentication. Even though brute-forcing a password may
take an enormous amount of time and resources, the issue is to be
taken seriously.
b) SSH1 session key recovery vulnerability (by (Ariel Waissbein,
Agustin Azubel) – CORE SDI, Argentina, and David Bleichenbacher).
Captured encrypted ssh traffic can be decrypted with some effort by
obtaining the session key for the ssh session. The added patch in
our package causes the ssh daemon to generate a new server key pair
upon failure of an RSA operation (please note that the patch
supplied with Iván Arce on bugtraq on Wed, 7 Feb 2001 has
been corrected later on!).
c) In 1998, the ssh-1 protocol was found to be vulnerable to an
attack where arbitrary sequences could be inserted into the ssh-1
protocol layer. The attack was called “crc32 compensation attack”,
and a fix was introduced (crc compensation attack detector in the
ssh -v output) into the later versions of ssh. Michal Zalewski
discovered that the fix in its most widely used implementation is
defective. An integer overflow allows an attacker to overwrite
arbitrary memory in the sshd process’ address space, which
potentionally results in a remote root compromise.
There are easy resorts that can be offered: a) switch to openssh
(please use the openssh packages on ftp.suse.com from the same
update directories as the ssh package update URLs below indicate).
openssh is a different implementation of the ssh protocol that is
compatible to the protocol versions 1 and 2. Openssh Version 2.3.0
does not suffer from the problems listed above. Versions before
2.3.0 are vulnerable to other problems, so please use the updates
from the update directory on the ftp.suse.de ftp server. See
section 2) of this announcement for the md5sums of the packages. b)
upgrade your ssh package from the locations described below.
Download the update package from locations desribed below and
install the package with the command `rpm -Uhv file.rpm’. The
md5sum for each file is in the line below. You can verify the
integrity of the rpm files using the command
`rpm –checksig –nogpg file.rpm’,
independently from the md5 signatures below.
SPECIAL INSTALL INSTRUCTIONS:
If you run a sshd (secure shell daemon) server on your system, then
the daemon process must be restarted for the update package to
become active after installation of the update rpm. You can do this
easily with the command (ran as root):
kill -15 `cat /var/run/sshd.pid`
After this, you can start the daemon using the command
rcsshd start
It should be possible now to log on again to your server as usual.
Please consult the syslogs in /var/log if this is not the case.
Warning: killing all instances of sshd on a system might render the
system inaccessible from remote, especially if secure shell is your
only method to access the system. Be careful to not lock yourself
out.
Note: The packages on our German ftp server have been built
again to correct one of the patches. The package for the 6.1-i386
distribution has finished building a few minutes ago and uses the
same name as the build from Wednesday. Use the –force commandline
option for the rpm command if you have used the package that was
published before the release date of this announcement.
i386 Intel Platform:
SuSE-7.1
ftp://ftp.suse.de/pub/suse/i386/update/7.1/sec2/ssh-1.2.27-226.i386.rpm
ae68bf3ac28b5e81f9c5f2a1d1d8980e
source rpm:
ftp://ftp.suse.de/pub/suse/i386/update/7.1/zq1/ssh-1.2.27-226.src.rpm
d332e662daff71ff7d10cf4d962b6933
SuSE-7.0
ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/ssh-1.2.27-220.i386.rpm
f88b339dea96ef186e70872ce9444c24
source rpm:
ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/ssh-1.2.27-220.src.rpm
93ca5fc96c103a5f9adee16cb319195c
SuSE-6.4
ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/ssh-1.2.27-86.i386.rpm
3f1b41116b7c7d63c791de4fdca9d1ee
source rpm:
ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/ssh-1.2.27-86.src.rpm
3a8d859f2ae9751852339c642b07b4cf
SuSE-6.3
ftp://ftp.suse.de/pub/suse/i386/update/6.3/sec1/ssh-1.2.27-86.i386.rpm
3f1b41116b7c7d63c791de4fdca9d1ee
source rpm:
ftp://ftp.suse.de/pub/suse/i386/update/6.3/zq1/ssh-1.2.27-86.src.rpm
3a8d859f2ae9751852339c642b07b4cf
SuSE-6.2
ftp://ftp.suse.de/pub/suse/i386/update/6.2/sec1/ssh-1.2.27-210.i386.rpm
b29822198dc6430167465706965e3499
source rpm:
ftp://ftp.suse.de/pub/suse/i386/update/6.2/zq1/ssh-1.2.27-210.src.rpm
4a2130635f702bb266748b9e4838877a
SuSE-6.1
ftp://ftp.suse.de/pub/suse/i386/update/6.1/sec1/ssh-1.2.27-210.i386.rpm
17f281262edd689d9861c099489cbcc6
source rpm:
ftp://ftp.suse.de/pub/suse/i386/update/6.1/zq1/ssh-1.2.27-210.src.rpm
5e12e0086f61bba2f37c4ccbc4282a92
Sparc Platform:
SuSE-7.0
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/ssh-1.2.27-221.sparc.rpm
e1545287f954d089707c55a66598c318
source rpm:
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/ssh-1.2.27-221.src.rpm
f37a8b3addaf70711d91f6a3f788a8b3
AXP Alpha Platform:
SuSE-7.0
ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/ssh-1.2.27-221.alpha.rpm
77bd0dcda5df929fba07d56de2bf3399
source rpm:
ftp://ftp.suse.de/pub/suse/axp/update/7.0/zq1/ssh-1.2.27-221.src.rpm
77305ae844c9b68e8af559ccf81417e8
SuSE-6.4
ftp://ftp.suse.de/pub/suse/axp/update/6.4/sec1/ssh-1.2.27-86.alpha.rpm
7a8d7086c8b99822b020f3c9d0e4764e
source rpm:
ftp://ftp.suse.de/pub/suse/axp/update/6.4/zq1/ssh-1.2.27-86.src.rpm
e75660e54edc2cf38086b4de3da91881
SuSE-6.3
ftp://ftp.suse.de/pub/suse/axp/update/6.3/sec1/ssh-1.2.27-212.alpha.rpm
671761326c11c9eac50c3d992b550bdf
source rpm:
ftp://ftp.suse.de/pub/suse/axp/update/6.3/zq1/ssh-1.2.27-212.src.rpm
5472b658aac01bea8667769a04e0e92d
PPC Power PC Platform:
SuSE-7.0
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/ssh-1.2.27-220.ppc.rpm
ec7274c8a88b6ce5420c91da0622f94c
source rpm:
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/ssh-1.2.27-220.src.rpm
1ae9f7cf4c7099f5cad8cb0ccc8f3e5d
SuSE-6.4
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/ssh-1.2.27-86.ppc.rpm
fc3cb2e3b927c7ffc5e8374e183f860e
source rpm:
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/ssh-1.2.27-86.src.rpm
439abdfb6f56e2c0d3880cddd103935f
2) Pending vulnerabilities in SuSE Distributions and
Workarounds:
– The openssh package URLs and md5sums:
ftp://ftp.suse.de/pub/suse/i386/update/7.1/sec1/openssh-2.3.0p1-5.i386.rpm
3687c385e3e8f6e845c17518c12dd61b
ftp://ftp.suse.de/pub/suse/i386/update/7.1/zq1/openssh-2.3.0p1-5.src.rpm
3cf3a1f652d92d66e70bfc9c40c0eb38
ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/openssh-2.3.0p1-0.i386.rpm
ce12abcff3dec118ceabe62e6cd1e090
ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm
3a7cf864f695a9f3ec2dd0bf6cc7e161
ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/openssh-2.3.0p1-0.i386.rpm
3219bf7853c2c27056ec502b5fd3345c
ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm
82a18d49a9a98942417258ffcd7a4800
ftp://ftp.suse.de/pub/suse/i386/update/6.3/sec1/openssh-2.3.0p1-0.i386.rpm
3219bf7853c2c27056ec502b5fd3345c
ftp://ftp.suse.de/pub/suse/i386/update/6.3/zq1/openssh-2.3.0p1-0.src.rpm
82a18d49a9a98942417258ffcd7a4800
ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/openssh-2.3.0p1-0.alpha.rpm
b924315c09cb990009b24d3c1093e142
ftp://ftp.suse.de/pub/suse/axp/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm
6339a4f2a4982ba2e6b943a182d02420
ftp://ftp.suse.de/pub/suse/axp/update/6.4/sec1/openssh-2.3.0p1-0.alpha.rpm
61da28e2695d8f4a4b1c6300d867e6b6
ftp://ftp.suse.de/pub/suse/axp/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm
9e8e5af8b890f2a18e244da1c94be796
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/openssh-2.3.0p1-0.ppc.rpm
72f7c339991e54a476585012423dda62
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm
749ccc55396944ad43c1977e55903958
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/openssh-2.3.0p1-0.ppc.rpm
e08ec87634dfd0dd76d18886d04ebd4b
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm
95820e1934a5586c8d73719957972d7c
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/openssh-2.3.0p1-0.sparc.rpm
8ed7a34fec7bcc6c658809effe20fd82
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm
c551925107c7000fa32556dbe4a4fad4
– Linux kernel upgrade. Several security flaws have been found
in the linux-2.2.x kernel versions. The only suitable workaround is
to upgrade to a newer kernel version. SuSE provides kernels that
have been expanded with several dozen device drivers that are not
included in the standard main stream kernel.
While working on the kernel update packages for our
distributions, more security problems were discovered. Currently,
several persons audit code in the kernel, so that more problems are
expected to be discovered in the very near future.
Since kernel updates are very time-consuming on behalf of the
system administrator, we decided to not publish a new kernel
package each week. Instead, the new kernel packages with all known
security bugs fixed will be published by the midth/end of next
week.
In the meanwhile, administrators who require immediate updates,
please go to ftp.kernel.org (or one of its mirrors, respectively)
and get Alan Cox’ prepatches for the 2.2.19 version of the Linux
kernel. The directory usually is
/pub/linux/kernel/people/alan/2.2.19pre, his latest patch is
pre-patch-2.2.19-13.gz. This patch fixes all currently publically
known security problems in the Linux v2.2 kernel. For those who are
not experienced in patching and installing kernels, we recommend to
wait for the release of the SuSE Linux kernel update packages.
– From SuSE-SA:2001:03 (bind8): The sparc update packages were
pending because of build bottlenecks. The URLs to the update
packages and the md5sums are as follows:
SuSE-7.0
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/bind8-8.2.3-39.sparc.rpm
c7e2a95bd4b90d03207ffc3a9880c36c
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/bind8-8.2.3-39.src.rpm
5d4d4b608f2a8a3e61f7dc6917254f4f
– bind: The bind package version 4.x has been found vulnerable
to multiple security problems that were discussed and published in
public security forums. See http://www.securityfocus.com/templates/advisory.html?id=3051
for more information. SuSE provides update packages for the bind
nameserver in version 4 for all distributions and architectures. We
also hereby announce that the bind package (bind-4.x; the bind
nameserver in version 8 is contained in the bind8 package) will be
discontinued in future versions of the SuSE Linux Distribution. We
recommend to migrate to bind in the 8.x or 9.x series. There will
be a seperate security announcement for the bind (4.x) package by
Monday, February 19th 2001. In the meanwhile, get the md5sums from
the URL ftp://ftp.suse.de/private/draht/bind4-checksums
. It is signed.
– More announcements are following this one. (mysql, tmpfile
races, …) Please read (this) section 2) in the announcements
carefully.
3) standard appendix:
SuSE runs two security mailing lists to which any interested
party may subscribe:
suse-security@suse.com
– general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list. To
subscribe, send an email to suse-security-subscribe@suse.com.
suse-security-announce@suse.com
– SuSE’s announce-only mailing list.
Only SuSE’s security annoucements are sent to this list. To
subscribe, send an email to suse-security-announce-subscribe@suse.com.
For general information or the frequently asked questions (faq)
send mail to:
suse-security-info@suse.com
or
suse-security-faq@suse.com
respectively.
SuSE’s security contact is security@suse.com.
Regards,
Roman Drahtmüller.
- - --
- -
| Roman Drahtmüller draht@suse.de // "Caution: Cape does |
SuSE GmbH - Security Phone: // not enable user to fly."
| Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) |
-
Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.
LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.