MDKSA-2003:090 - Updated openssh packages fix buffer management error
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
Mandrake Linux Security Update Advisory
________________________________________________________________________
Package name: openssh
Advisory ID: MDKSA-2003:090
Date: September 16th, 2003
Affected versions: 8.2, 9.0, 9.1, Corporate Server 2.1,
Multi Network Firewall 8.2
________________________________________________________________________
Problem Description:
A buffer management error was discovered in all versions of openssh
prior to version 3.7. According to the OpenSSH team's advisory:
"It is uncertain whether this error is potentially exploitable,
however, we prefer to see bugs fixed proactively." There have also
been reports of an exploit in the wild.
MandrakeSoft encourages all users to upgrade to these patched openssh
packages immediately and to disable sshd until you are able to upgrade
if at all possible.
________________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693
http://www.kb.cert.org/vuls/id/333628
http://www.openssh.com/txt/buffer.adv
________________________________________________________________________
Updated Packages:
Corporate Server 2.1:
5800ea0b5c436851c04e153a2d8b7706
corporate/2.1/RPMS/openssh-3.6.1p2-1.1.90mdk.i586.rpm
ca2a0c392a3b2400139b4bfbdd61121a
corporate/2.1/RPMS/openssh-askpass-3.6.1p2-1.1.90mdk.i586.rpm
51b4d8bcc2e3c92850dd29a41da1ecbc
corporate/2.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.1.90mdk.i586.rpm
dd421c26a2c1b5092cc1947394f87cfa
corporate/2.1/RPMS/openssh-clients-3.6.1p2-1.1.90mdk.i586.rpm
933a01509877c76a2c16b4c129bd7bbe
corporate/2.1/RPMS/openssh-server-3.6.1p2-1.1.90mdk.i586.rpm
54299aeb96b49e1d8ef6a4dcc826eba1
corporate/2.1/SRPMS/openssh-3.6.1p2-1.1.90mdk.src.rpm
Corporate Server 2.1/x86_64:
5da7de9e35a314a9acc21ee0024c8a55
x86_64/corporate/2.1/RPMS/openssh-3.6.1p2-1.1.90mdk.x86_64.rpm
fb60f30f5241741ef2276d8616553a84
x86_64/corporate/2.1/RPMS/openssh-askpass-3.6.1p2-1.1.90mdk.x86_64.rpm
c41f38e43f87231c639f6a0fcbb2d065
x86_64/corporate/2.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.1.90mdk.x86_64.rpm
c826364829aba4704f1b5435b4ab3319
x86_64/corporate/2.1/RPMS/openssh-clients-3.6.1p2-1.1.90mdk.x86_64.rpm
7b4f9e6970d4bc7ef7ac55e7824247c6
x86_64/corporate/2.1/RPMS/openssh-server-3.6.1p2-1.1.90mdk.x86_64.rpm
54299aeb96b49e1d8ef6a4dcc826eba1
x86_64/corporate/2.1/SRPMS/openssh-3.6.1p2-1.1.90mdk.src.rpm
Mandrake Linux 8.2:
eb32286108c21f58ac51d782151539b0 8.2/RPMS/openssh-3.6.1p2-1.1.82mdk.i586.rpm
0267fc6f4c0d893e435b7445fb9f6a23
8.2/RPMS/openssh-askpass-3.6.1p2-1.1.82mdk.i586.rpm
69a090f67dd853d4e60f6905eeeadf20
8.2/RPMS/openssh-askpass-gnome-3.6.1p2-1.1.82mdk.i586.rpm
96e50b6c68e657cc01911414e6836f73
8.2/RPMS/openssh-clients-3.6.1p2-1.1.82mdk.i586.rpm
f52c7678f32ca9cde888068620fb375d
8.2/RPMS/openssh-server-3.6.1p2-1.1.82mdk.i586.rpm
f96f920c60fe9961f107605e60dc0697 8.2/SRPMS/openssh-3.6.1p2-1.1.82mdk.src.rpm
Mandrake Linux 8.2/PPC:
14904d382bc45ae8346202bdc75ccee7
ppc/8.2/RPMS/openssh-3.6.1p2-1.1.82mdk.ppc.rpm
8012ca8e133f76d0a7034945603f4e90
ppc/8.2/RPMS/openssh-askpass-3.6.1p2-1.1.82mdk.ppc.rpm
aa3658d57bacf80a2bc6750a832f7ff8
ppc/8.2/RPMS/openssh-askpass-gnome-3.6.1p2-1.1.82mdk.ppc.rpm
683f8b21c9887f9160efa0cf7211caf0
ppc/8.2/RPMS/openssh-clients-3.6.1p2-1.1.82mdk.ppc.rpm
a919fcf54371e12ece94b84883cdf058
ppc/8.2/RPMS/openssh-server-3.6.1p2-1.1.82mdk.ppc.rpm
f96f920c60fe9961f107605e60dc0697
ppc/8.2/SRPMS/openssh-3.6.1p2-1.1.82mdk.src.rpm
Mandrake Linux 9.0:
5800ea0b5c436851c04e153a2d8b7706 9.0/RPMS/openssh-3.6.1p2-1.1.90mdk.i586.rpm
ca2a0c392a3b2400139b4bfbdd61121a
9.0/RPMS/openssh-askpass-3.6.1p2-1.1.90mdk.i586.rpm
51b4d8bcc2e3c92850dd29a41da1ecbc
9.0/RPMS/openssh-askpass-gnome-3.6.1p2-1.1.90mdk.i586.rpm
dd421c26a2c1b5092cc1947394f87cfa
9.0/RPMS/openssh-clients-3.6.1p2-1.1.90mdk.i586.rpm
933a01509877c76a2c16b4c129bd7bbe
9.0/RPMS/openssh-server-3.6.1p2-1.1.90mdk.i586.rpm
54299aeb96b49e1d8ef6a4dcc826eba1 9.0/SRPMS/openssh-3.6.1p2-1.1.90mdk.src.rpm
Mandrake Linux 9.1:
b428536c41761ef1295a5c424fe7090f 9.1/RPMS/openssh-3.6.1p2-1.1.91mdk.i586.rpm
6b0f784e9a9eb0a5f81682cfed347533
9.1/RPMS/openssh-askpass-3.6.1p2-1.1.91mdk.i586.rpm
1de0d5a790a8b049d936a66f9cbef637
9.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.1.91mdk.i586.rpm
8be79fe54ec8fa4e6e262747b9a266f6
9.1/RPMS/openssh-clients-3.6.1p2-1.1.91mdk.i586.rpm
43c07ba3f3f4ba38f5d215dc1e62b19d
9.1/RPMS/openssh-server-3.6.1p2-1.1.91mdk.i586.rpm
6c50e55e209175d774c39512e31da4ff 9.1/SRPMS/openssh-3.6.1p2-1.1.91mdk.src.rpm
Mandrake Linux 9.1/PPC:
cea0afcd1c654e52eaeafde47e0b9cdd
ppc/9.1/RPMS/openssh-3.6.1p2-1.1.91mdk.ppc.rpm
937cafe7c1d2bc005bde44157a3ce32a
ppc/9.1/RPMS/openssh-askpass-3.6.1p2-1.1.91mdk.ppc.rpm
b96a79881c74002e80088e73b0b5420a
ppc/9.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.1.91mdk.ppc.rpm
c11f8f2648eda9d127f7cbf4e20dd768
ppc/9.1/RPMS/openssh-clients-3.6.1p2-1.1.91mdk.ppc.rpm
65761615af545350699e27771761acd0
ppc/9.1/RPMS/openssh-server-3.6.1p2-1.1.91mdk.ppc.rpm
6c50e55e209175d774c39512e31da4ff
ppc/9.1/SRPMS/openssh-3.6.1p2-1.1.91mdk.src.rpm
Multi Network Firewall 8.2:
eb32286108c21f58ac51d782151539b0
mnf8.2/RPMS/openssh-3.6.1p2-1.1.82mdk.i586.rpm
96e50b6c68e657cc01911414e6836f73
mnf8.2/RPMS/openssh-clients-3.6.1p2-1.1.82mdk.i586.rpm
f52c7678f32ca9cde888068620fb375d
mnf8.2/RPMS/openssh-server-3.6.1p2-1.1.82mdk.i586.rpm
f96f920c60fe9961f107605e60dc0697
mnf8.2/SRPMS/openssh-3.6.1p2-1.1.82mdk.src.rpm
________________________________________________________________________
Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
________________________________________________________________________
To upgrade automatically, use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
All packages are signed by MandrakeSoft for security. You can obtain
the GPG public key of the Mandrake Linux Security Team by executing:
gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98
Please be aware that sometimes it takes the mirrors a few hours to
update.
You can view other update advisories for Mandrake Linux at:
http://www.mandrakesecure.net/en/advisories/
MandrakeSoft has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by
visiting:
http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/Z3GlmqjQ0CJFipgRApLpAKD23mpcVC6S4b4N7EhgXHGGGh0jGQCeIfDv
BFTVF9HpTYKL8xAl2ua7fm4=
=sBfV
-----END PGP SIGNATURE-----