[Gllug] [Fwd: [SECURITY] [DSA-134-1] OpenSSH remote vulnerability]

Mark Lowes hamster at korenwolf.net
Tue Jun 25 07:36:09 UTC 2002 

Looks like it's going to be a busy few weeks in the upgrade
department...

I'd recommend everyone who's running openssh upgrade, firewall or turn
off.

-----Forwarded Message-----

> From: Wichert Akkerman <wichert at wiggy.net>
> To: debian-security-announce at lists.debian.org
> Subject: [SECURITY] [DSA-134-1] OpenSSH remote vulnerability
> Date: 24 Jun 2002 23:56:04 +0200
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> - ------------------------------------------------------------------------
> Debian Security Advisory DSA-134-1                   security at debian.org
> http://www.debian.org/security/                         Wichert Akkerman
> June 24, 2002
> - ------------------------------------------------------------------------
> 
> 
> Package        : ssh
> Problem type   : remote exploit
> Debian-specific: no
> 
> Theo de Raadt announced that the OpenBSD team is working with ISS
> on a remote exploit for OpenSSH (a free implementation of the
> Secure SHell protocol). They are refusing to provide any details on
> the vulnerability but instead are advising everyone to upgrade to
> the latest release, version 3.3.
> 
> This version was released 3 days ago and introduced a new feature
> to reduce the effect of exploits in the network handling code
> called privilege separation.  Unfortunately this release has a few
> known problems: compression does not work on all operating systems
> since the code relies on specific mmap features, and the PAM
> support has not been completed. There may be other problems as
> well.
> 
> The new privilege separation support from Niels Provos changes ssh
> to use a separate non-privileged process to handle most of the
> work. This means any vulnerability in this part of OpenSSH can
> never lead to a root compromise but only to access to a separate
> account restricted to a chroot.
> 
> Theo made it very clear this new version does not fix the
> vulnerability, instead by using the new privilege separation code
> it merely reduces the risk since the attacker can only gain access
> to a special account restricted in a chroot.
> 
> Since details of the problem have not been released we were forced
> to move to the latest release of OpenSSH portable, version 3.3p1.
> 
> Due to the short time frame we have had we have not been able to
> update the ssh package for Debian GNU/Linux 2.2 / potato yet.
> Packages for the upcoming 3.0 release (woody) are available for
> most architectures.
> 
> Please note that we have not had the time to do proper QA on these
> packages; they might contain bugs or break things unexpectedly. If
> you notice any such problems please file a bug-report so we can
> investigate.
> 
> This package introduce a new account called `sshd' that is used in
> the privilege separation code. If no sshd account exists the
> package will try to create one. If the account already exists it
> will be re-used. If you do not want this to happen you will have
> to fix this manually. 
> 
> 
> wget url
>         will fetch the file for you
> dpkg -i file.deb
>         will install the referenced file.
> 
> 
> Debian GNU/Linux 2.2 alias potato
> - ---------------------------------
> 
>   Potato was released for alpha, arm, i386, m68k, powerpc and sparc.
> 
>   Package for potato are not available at the moment
> 
> 
> Debian GNU/Linux 3.0 alias woody
> - ---------------------------------
> 
>   Woody will be released for alpha, arm, hppa, i386, ia64, m68k, mips,
>   mipsel, powerpc, s390 and sparc. Packages for m68k are not yet
>   available at this moment.
> 
> 
>   Source archives:
> 
>     http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0woody1.dsc
>       Size/MD5 checksum:      751 2409524dc15e3de36ebfaa702c0311ea
>     http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1.orig.tar.gz
>       Size/MD5 checksum:   831189 226fdde5498c56288e777c7a697996e0
>     http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0woody1.diff.gz
>       Size/MD5 checksum:    33009 4850f4a167cb515cc20301288e751e27
> 
>   alpha architecture (DEC Alpha)
> 
>     http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_alpha.deb
>       Size/MD5 checksum:   844556 7ef1518babcb185b5ef61fde2bd881c5
>     http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_alpha.deb
>       Size/MD5 checksum:    33422 ba9145a70719500ba56940e79e2cba02
> 
>   arm architecture (Arm)
> 
>     http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_arm.deb
>       Size/MD5 checksum:   653454 4b6553ed08622525c6f22e7dc488f7c6
>     http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_arm.deb
>       Size/MD5 checksum:    32636 902f862c07059cdccb2ece3147f66282
> 
>   hppa architecture (HP PA RISC)
> 
>     http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_hppa.deb
>       Size/MD5 checksum:    33008 cdc5abf35a41df56be4780e251d203e8
>     http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_hppa.deb
>       Size/MD5 checksum:   750862 d66d8707a30787b9995f9716fdd97811
> 
>   i386 architecture (Intel ia32)
> 
>     http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_i386.deb
>       Size/MD5 checksum:   637940 c3743ca590e7efd74cb97d5be98456be
>     http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_i386.deb
>       Size/MD5 checksum:    32928 d8a53753324406f2d9a386451e02e40d
> 
>   ia64 architecture (Intel ia64)
> 
>     http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_ia64.deb
>       Size/MD5 checksum:    34374 a7f36c83b84a5d4ade7a8ee992ca92da
>     http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_ia64.deb
>       Size/MD5 checksum:   998018 ff8346cfbcba7e156f825de86c440455
> 
>   mips architecture (SGI MIPS)
> 
>     http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_mips.deb
>       Size/MD5 checksum:    32926 afc0d38e2c49eb7ef8de86a935509af3
>     http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_mips.deb
>       Size/MD5 checksum:   725414 22b6bc8d5fcfa09ba9391ed98ccf0851
> 
>   mipsel architecture (SGI MIPS (Little Endian))
> 
>     http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_mipsel.deb
>       Size/MD5 checksum:    32894 71bc788f883eb7caf3262fe8b685dfd3
>     http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_mipsel.deb
>       Size/MD5 checksum:   722364 2ee3bfe9bdaa28b41dd6aaa6407e2fc6
> 
>   powerpc architecture (PowerPC)
> 
>     http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_powerpc.deb
>       Size/MD5 checksum:    32658 7f7fa405891087d0da0c54e0fd516d02
>     http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_powerpc.deb
>       Size/MD5 checksum:   676954 4471019ed9c792bbaf6422394d7bb77c
> 
>   s390 architecture (IBM S/390)
> 
>     http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_s390.deb
>       Size/MD5 checksum:    33274 81ff83437d47fba8c62351e249e70a2d
>     http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_s390.deb
>       Size/MD5 checksum:   666304 05666b9eb24bfb76bcd3c194912da912
> 
>   sparc architecture (Sun SPARC/UltraSPARC)
> 
>     http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_sparc.deb
>       Size/MD5 checksum:    32720 8f03b2b054e9fcf47ad826802e1a0192
>     http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_sparc.deb
>       Size/MD5 checksum:   681598 2d1413a153f3e51fafaaee9a8ad4682b
> 
> 
> - -- 
> - ----------------------------------------------------------------------------
> apt-get: deb http://security.debian.org/ stable/updates main
> dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
> Mailing list: debian-security-announce at lists.debian.org
> 
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: noconv
> 
> iQB1AwUBPReVa6jZR/ntlUftAQGccgL/VYOsHzwOSyRqgFSBY/F+cj2iRZGe2oSH
> +DbW7mcRPw6ZrSXKWfmFD6dfz47AhYoGWYLiW2PxBGtZfiwyYFmPJnbJG0y/FQcJ
> /M/hEvloW2Ce7wbMAqz/zKcI06Nf7jA0
> =Q+XM
> -----END PGP SIGNATURE-----
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-announce-request at lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster at lists.debian.org
> 
-- 
The Flying Hamster <hamster at korenwolf.net>     
http://www.korenwolf.net/
(from #bofh) "DHCP: Destructive Hamster Conspiracy Protocol"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 192 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20020625/7d1c8e70/attachment.pgp>

More information about the GLLUG mailing list