Full Disclosure mailing list archives
Re: Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability
From: <kernelclue () hushmail com>
Date: Tue, 16 Sep 2003 14:08:48 -0700
OpenSSH runs on a number of platforms, Windows included. To say this reflects on GNU/Linux or any Linux distro is just nonsense. On Tue, 16 Sep 2003 11:29:30 -0700 Dave Monk <dave () themaneater com> wrote:
Recent security advisories featuring the operating system known as 'GNU/Linux' (formerly minix) has had a negative effect on the listserv. The problem stems from the polymorphic, virus-like phenomenon also known as the 'Linux distro', the Linux distro allows any single permutation of a base Linux install (such as location of the mail spool) to actually qualify and require an entire new operating system distribution. At this point in time there are over 50 distros out there. The cascade failure effect is that the minute a hole or flaw in a base Linux subsystem such as the kernel or system tools immediately causes a flood of 'vendor' emails sent to bugtraq describing each way to disable/upgrade the broken feature on their OS. The effect is that the 'signal to stupid-linux-bug ratio' on the lists gets completely out of whack thereby diluting the utility of the list. Solutions: None. (how do you expect to stop a tidal wave of suicidal VC money?) Workarounds: 1) All advisories should be filtered through RMS, which would achieve the desired effect of delaying their posting indefinitely. 2) All such advisories should be prefixed by '[YASLB]' in the subject line (yet another stupid linux bug) so I can filter this stupid crap. thanks, everyone bugzilla () redhat com (bugzilla () redhat com) wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ---------------------------------------------------------------------Red Hat Security Advisory Synopsis: Updated OpenSSH packages fix potential vulnerability Advisory ID: RHSA-2003:279-01 Issue date: 2003-09-16 Updated on: 2003-09-16 Product: Red Hat Linux Keywords: Cross references: Obsoletes: RHSA-2003:222 CVE Names: CAN-2003-0693 - ---------------------------------------------------------------------1. Topic: Updated OpenSSH packages are now available that fix a bug thatmay beremotely exploitable. 2. Relevant releases/architectures: Red Hat Linux 7.1 - i386 Red Hat Linux 7.2 - i386, ia64 Red Hat Linux 7.3 - i386 Red Hat Linux 8.0 - i386 Red Hat Linux 9 - i386 3. Problem description: OpenSSH is a suite of network connectivity tools that can be usedtoestablish encrypted connections between systems on a network andcanprovide interactive login sessions and port forwarding, amongother functions.The OpenSSH team has announced a bug which affects the OpenSSHbufferhandling code. This bug has the potential of being remotely exploitable. All users of OpenSSH should immediately apply this update whichcontains abackported fix for this issue. 4. Solution: Before applying this update, make sure all previously releasederratarelevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade.Only thoseRPMs which are currently installed will be updated. Those RPMswhich arenot installed but included in the list will not be updated. Notethat youcan also use wildcards (*.rpm) if your current directory *only*contains thedesired RPMs. Please note that this update is also available via Red Hat Network.Manypeople find this an easier way to apply updates. To use Red HatNetwork,launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in theappropriateRPMs being upgraded on your system. If up2date fails to connect to Red Hat Network due to SSL Certificate Errors, you need to install a version of the up2date client withan updatedcertificate. The latest version of up2date is available fromthe Red HatFTP site and may also be downloaded directly from the RHN website: https://rhn.redhat.com/help/latest-up2date.pxt 5. RPMs required: Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/openssh-3.1p1-9.src.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/openssh-3.1p1-9.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/openssh-clients-3.1p1-9.i386.rpmftp://updates.redhat.com/7.1/en/os/i386/openssh-server-3.1p1-9.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/openssh-askpass-3.1p1-9.i386.rpmftp://updates.redhat.com/7.1/en/os/i386/openssh-askpass-gnome-3.1p1-9.i386.rpmRed Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/openssh-3.1p1-10.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/openssh-3.1p1-10.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/openssh-clients-3.1p1-10.i386.rpmftp://updates.redhat.com/7.2/en/os/i386/openssh-server-3.1p1-10.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/openssh-askpass-3.1p1-10.i386.rpmftp://updates.redhat.com/7.2/en/os/i386/openssh-askpass-gnome-3.1p1-10.i386.rpmia64: ftp://updates.redhat.com/7.2/en/os/ia64/openssh-3.1p1-10.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/openssh-clients-3.1p1-10.ia64.rpmftp://updates.redhat.com/7.2/en/os/ia64/openssh-server-3.1p1-10.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/openssh-askpass-3.1p1-10.ia64.rpmftp://updates.redhat.com/7.2/en/os/ia64/openssh-askpass-gnome-3.1p1-10.ia64.rpmRed Hat Linux 7.3: SRPMS: ftp://updates.redhat.com/7.3/en/os/SRPMS/openssh-3.1p1-10.src.rpm i386: ftp://updates.redhat.com/7.3/en/os/i386/openssh-3.1p1-10.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/openssh-clients-3.1p1-10.i386.rpmftp://updates.redhat.com/7.3/en/os/i386/openssh-server-3.1p1-10.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/openssh-askpass-3.1p1-10.i386.rpmftp://updates.redhat.com/7.3/en/os/i386/openssh-askpass-gnome-3.1p1-10.i386.rpmRed Hat Linux 8.0: SRPMS: ftp://updates.redhat.com/8.0/en/os/SRPMS/openssh-3.4p1-5.src.rpm i386: ftp://updates.redhat.com/8.0/en/os/i386/openssh-3.4p1-5.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/openssh-clients-3.4p1-5.i386.rpmftp://updates.redhat.com/8.0/en/os/i386/openssh-server-3.4p1-5.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/openssh-askpass-3.4p1-5.i386.rpmftp://updates.redhat.com/8.0/en/os/i386/openssh-askpass-gnome-3.4p1-5.i386.rpmRed Hat Linux 9: SRPMS: ftp://updates.redhat.com/9/en/os/SRPMS/openssh-3.5p1-9.src.rpm i386: ftp://updates.redhat.com/9/en/os/i386/openssh-3.5p1-9.i386.rpm ftp://updates.redhat.com/9/en/os/i386/openssh-clients-3.5p1-9.i386.rpm ftp://updates.redhat.com/9/en/os/i386/openssh-server-3.5p1-9.i386.rpm ftp://updates.redhat.com/9/en/os/i386/openssh-askpass-3.5p1-9.i386.rpm ftp://updates.redhat.com/9/en/os/i386/openssh-askpass-gnome-3.5p1-
9.i386.rpm6. Verification: MD5 sum Package Name - --------------------------------------------------------------------------68c4a788b259ac5d80696344a1635238 7.1/en/os/SRPMS/openssh-3.1p1-9.src.rpm2cb116a25b5d3f2ae0290c2b02eb822a 7.1/en/os/i386/openssh-3.1p1-9.i386.rpm8871705678463c84f5bac0d7e314c51d 7.1/en/os/i386/openssh-askpass-3.1p1-9.i386.rpmd40669604c1003d5fa56a0fe8f5f259f 7.1/en/os/i386/openssh-askpass-gnome-3.1p1-9.i386.rpmad58192a0988ae2ba28303892344dc15 7.1/en/os/i386/openssh-clients-3.1p1-9.i386.rpm275ab4661dfef3d2331a044723728ba8 7.1/en/os/i386/openssh-server-3.1p1-9.i386.rpm8a643b9a1c2081510494bcfe81d704da 7.2/en/os/SRPMS/openssh-3.1p1-10.src.rpm41d575bf0e8740dea7be6f228cd49a06 7.2/en/os/i386/openssh-3.1p1-10.i386.rpm4b768a29889a977e780f40829767f139 7.2/en/os/i386/openssh-askpass-3.1p1-10.i386.rpmc6ade41287005e1bc3e773d489571b2f 7.2/en/os/i386/openssh-askpass-gnome-3.1p1-10.i386.rpmac2a157d5527b94629b393709dafee88 7.2/en/os/i386/openssh-clients-3.1p1-10.i386.rpmdfd86218d209c998c1f5877470e08ee3 7.2/en/os/i386/openssh-server-3.1p1-10.i386.rpm35ed02df36d62ae2ae388bdb1a2fde8b 7.2/en/os/ia64/openssh-3.1p1-10.ia64.rpm00efc09f44de8e8757ed002b1c8f33d1 7.2/en/os/ia64/openssh-askpass-3.1p1-10.ia64.rpm0a08a3bf5bdd95fb718c9f588aeb19a5 7.2/en/os/ia64/openssh-askpass-gnome-3.1p1-10.ia64.rpmad1d2c29d579622abeb9aaddc3ba2205 7.2/en/os/ia64/openssh-clients-3.1p1-10.ia64.rpmbaa9c271eea7d6d3d49fc14d4cc6cd20 7.2/en/os/ia64/openssh-server-3.1p1-10.ia64.rpm8a643b9a1c2081510494bcfe81d704da 7.3/en/os/SRPMS/openssh-3.1p1-10.src.rpm41d575bf0e8740dea7be6f228cd49a06 7.3/en/os/i386/openssh-3.1p1-10.i386.rpm4b768a29889a977e780f40829767f139 7.3/en/os/i386/openssh-askpass-3.1p1-10.i386.rpmc6ade41287005e1bc3e773d489571b2f 7.3/en/os/i386/openssh-askpass-gnome-3.1p1-10.i386.rpmac2a157d5527b94629b393709dafee88 7.3/en/os/i386/openssh-clients-3.1p1-10.i386.rpmdfd86218d209c998c1f5877470e08ee3 7.3/en/os/i386/openssh-server-3.1p1-10.i386.rpm9b0e321ba85cb0d0d92aa8d2215b660b 8.0/en/os/SRPMS/openssh-3.4p1-5.src.rpm98eec1cabf75d33b4dab5cbcc1fa3916 8.0/en/os/i386/openssh-3.4p1-5.i386.rpm40a5f106abe732b2de667d8eea533bfb 8.0/en/os/i386/openssh-askpass-3.4p1-5.i386.rpm2d7066401fdffdc33d8432c5a6e15bf2 8.0/en/os/i386/openssh-askpass-gnome-3.4p1-5.i386.rpm437bf2bd207673ce3ab9632e6c862972 8.0/en/os/i386/openssh-clients-3.4p1-5.i386.rpmb1d6e055c373770fac486b1c32b1110b 8.0/en/os/i386/openssh-server-3.4p1-5.i386.rpm7b1cf7bfc16af8675fef75f1c82825ca 9/en/os/SRPMS/openssh-3.5p1-9.src.rpm 42127cbc814679cefd1db11265eb2ded 9/en/os/i386/openssh-3.5p1-9.i386.rpm 301a68bc432e7ac55f847edbb30b4741 9/en/os/i386/openssh-askpass-3.5p1-9.i386.rpmbaeb84c227233c05d5b6e9e3bc1bdd3d 9/en/os/i386/openssh-askpass-gnome-3.5p1-9.i386.rpm78188bca46a3ccbba67d1040f42e3c07 9/en/os/i386/openssh-clients-3.5p1-9.i386.rpm2233bfd17074fd127dac4f47b57e905c 9/en/os/i386/openssh-server-3.5p1-
9.i386.rpmThese packages are GPG signed by Red Hat for security. Our keyisavailable from https://www.redhat.com/security/keys.html You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corruptedortampered with, examine only the md5sum with the following command: md5sum <filename> 7. References: http://marc.theaimsgroup.com/?l=openbsd-misc&m=106371592604940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693 8. Contact: The Red Hat security contact is <secalert () redhat com>. More contact details at https://www.redhat.com/solutions/security/news/contact.html Copyright 2003 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/Z06fXlSAg2UNWIIRAjxnAJ9aO/FjfvTrpAJSHTT3XDTvZj3/zwCgkKLt kgDsuTIKPlAf1EIS42Rg4Bo= =NzeI -----END PGP SIGNATURE------- Dave McKay dave () mu org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability bugzilla (Sep 16)
- Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability Dave Monk (Sep 16)
- <Possible follow-ups>
- [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability bugzilla (Sep 16)
- Re: Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability kernelclue (Sep 16)
- Re: Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability Matt Collins (Sep 17)
- Re: Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability Jedi/Sector One (Sep 17)
- Re: Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability Nigel Houghton (Sep 17)
- Re: Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability Matt Collins (Sep 17)
- RE: Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability Brown, Rodrick (Sep 17)
- Re: Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability Len Rose (Sep 17)
- Re: Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability Valdis . Kletnieks (Sep 17)
- Re: Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability Damian Gerow (Sep 17)
- RE: Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability Bojan Zdrnja (Sep 17)
- RE: Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability Schmehl, Paul L (Sep 17)