MDKSA-2003:090-1 - Updated openssh packages fix buffer management error
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
Mandrake Linux Security Update Advisory
________________________________________________________________________
Package name: openssh
Advisory ID: MDKSA-2003:090-1
Date: September 17th, 2003
Original Advisory Date: September 16th, 2003
Affected versions: 8.2, 9.0, 9.1, Corporate Server 2.1,
Multi Network Firewall 8.2
________________________________________________________________________
Problem Description:
A buffer management error was discovered in all versions of openssh
prior to version 3.7. According to the OpenSSH team's advisory:
"It is uncertain whether this error is potentially exploitable,
however, we prefer to see bugs fixed proactively." There have also
been reports of an exploit in the wild.
MandrakeSoft encourages all users to upgrade to these patched openssh
packages immediately and to disable sshd until you are able to upgrade
if at all possible.
Update:
The OpenSSH developers discovered more, similar, problems and revised
the patch to correct these issues. These new packages have the latest
patch fix applied.
________________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0695
http://www.kb.cert.org/vuls/id/333628
http://www.openssh.com/txt/buffer.adv
________________________________________________________________________
Updated Packages:
Corporate Server 2.1:
e4dd6a2be580feeceddb7bf702646992
corporate/2.1/RPMS/openssh-3.6.1p2-1.2.90mdk.i586.rpm
b643425ed773606865f31797db73b6d5
corporate/2.1/RPMS/openssh-askpass-3.6.1p2-1.2.90mdk.i586.rpm
bf403b678dd74c14c489bf5a32939e80
corporate/2.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.90mdk.i586.rpm
c4ec1f56320d69a37455d4f74da30d2d
corporate/2.1/RPMS/openssh-clients-3.6.1p2-1.2.90mdk.i586.rpm
0252fc0a7273c7c2ebbe4ae92fe492c6
corporate/2.1/RPMS/openssh-server-3.6.1p2-1.2.90mdk.i586.rpm
8909a7349c3e18993784900e1c501dc8
corporate/2.1/SRPMS/openssh-3.6.1p2-1.2.90mdk.src.rpm
Corporate Server 2.1/x86_64:
7a297d5ad1cf8f266a7045e5ed6407b4
x86_64/corporate/2.1/RPMS/openssh-3.6.1p2-1.2.90mdk.x86_64.rpm
0e1047d7ac87e4cb2fc83f51156f89e8
x86_64/corporate/2.1/RPMS/openssh-askpass-3.6.1p2-1.2.90mdk.x86_64.rpm
09592be1376bff2acb58577eb22927e5
x86_64/corporate/2.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.90mdk.x86_64.rpm
cb39634d5cb6811a53e833a566dca625
x86_64/corporate/2.1/RPMS/openssh-clients-3.6.1p2-1.2.90mdk.x86_64.rpm
2e49b64404318ee3c10f7088781f36da
x86_64/corporate/2.1/RPMS/openssh-server-3.6.1p2-1.2.90mdk.x86_64.rpm
8909a7349c3e18993784900e1c501dc8
x86_64/corporate/2.1/SRPMS/openssh-3.6.1p2-1.2.90mdk.src.rpm
Mandrake Linux 8.2:
862ccaea668653af1dd98d4f4cba388e 8.2/RPMS/openssh-3.6.1p2-1.2.82mdk.i586.rpm
abb351c902abd9bcfc7eefd0d8e56b43
8.2/RPMS/openssh-askpass-3.6.1p2-1.2.82mdk.i586.rpm
614a6bd4680be732689f5bd1e791a351
8.2/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.82mdk.i586.rpm
baa534caf5c7121741a7089e11cd169e
8.2/RPMS/openssh-clients-3.6.1p2-1.2.82mdk.i586.rpm
6f0b03ff0dd99857159177d3e797e916
8.2/RPMS/openssh-server-3.6.1p2-1.2.82mdk.i586.rpm
d6fd51341f521dc7fc2086915dcaec20 8.2/SRPMS/openssh-3.6.1p2-1.2.82mdk.src.rpm
Mandrake Linux 8.2/PPC:
c453de5cac92707c112c9245663fd25c
ppc/8.2/RPMS/openssh-3.6.1p2-1.2.82mdk.ppc.rpm
48211a23e464b38ebd4e7deed7347f48
ppc/8.2/RPMS/openssh-askpass-3.6.1p2-1.2.82mdk.ppc.rpm
77d27118abff6a1d6c0f57c167fefb52
ppc/8.2/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.82mdk.ppc.rpm
b58b03854614f14c861f42121d165a2b
ppc/8.2/RPMS/openssh-clients-3.6.1p2-1.2.82mdk.ppc.rpm
9c477dda47eab7cad24839d0ea43e6a4
ppc/8.2/RPMS/openssh-server-3.6.1p2-1.2.82mdk.ppc.rpm
d6fd51341f521dc7fc2086915dcaec20
ppc/8.2/SRPMS/openssh-3.6.1p2-1.2.82mdk.src.rpm
Mandrake Linux 9.0:
e4dd6a2be580feeceddb7bf702646992 9.0/RPMS/openssh-3.6.1p2-1.2.90mdk.i586.rpm
b643425ed773606865f31797db73b6d5
9.0/RPMS/openssh-askpass-3.6.1p2-1.2.90mdk.i586.rpm
bf403b678dd74c14c489bf5a32939e80
9.0/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.90mdk.i586.rpm
c4ec1f56320d69a37455d4f74da30d2d
9.0/RPMS/openssh-clients-3.6.1p2-1.2.90mdk.i586.rpm
0252fc0a7273c7c2ebbe4ae92fe492c6
9.0/RPMS/openssh-server-3.6.1p2-1.2.90mdk.i586.rpm
8909a7349c3e18993784900e1c501dc8 9.0/SRPMS/openssh-3.6.1p2-1.2.90mdk.src.rpm
Mandrake Linux 9.1:
2f657dd739f51adad400b75e627db53a 9.1/RPMS/openssh-3.6.1p2-1.2.91mdk.i586.rpm
2284741fdae6b3809b85f1f193dc9c7b
9.1/RPMS/openssh-askpass-3.6.1p2-1.2.91mdk.i586.rpm
3462362cb6364701bfe536541f24d349
9.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.91mdk.i586.rpm
5a8b2d3763dfc4dd77c7705401b4155e
9.1/RPMS/openssh-clients-3.6.1p2-1.2.91mdk.i586.rpm
508f52a1bc06e57b5176c31dc7d1674b
9.1/RPMS/openssh-server-3.6.1p2-1.2.91mdk.i586.rpm
4d9c124f212d3ad840bc19f6579784fc 9.1/SRPMS/openssh-3.6.1p2-1.2.91mdk.src.rpm
Mandrake Linux 9.1/PPC:
bf558d8fba0c8f779f73e8a3f75956d8
ppc/9.1/RPMS/openssh-3.6.1p2-1.2.91mdk.ppc.rpm
ca0ff77a847d5485cf03e4abb1fc7a88
ppc/9.1/RPMS/openssh-askpass-3.6.1p2-1.2.91mdk.ppc.rpm
4c45f30751958b8347713b818a55caf1
ppc/9.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.91mdk.ppc.rpm
e7912e06b6bf2579badac32f583d8511
ppc/9.1/RPMS/openssh-clients-3.6.1p2-1.2.91mdk.ppc.rpm
809424b2dd19bd2f654fdf4743fc5a8b
ppc/9.1/RPMS/openssh-server-3.6.1p2-1.2.91mdk.ppc.rpm
4d9c124f212d3ad840bc19f6579784fc
ppc/9.1/SRPMS/openssh-3.6.1p2-1.2.91mdk.src.rpm
Multi Network Firewall 8.2:
862ccaea668653af1dd98d4f4cba388e
mnf8.2/RPMS/openssh-3.6.1p2-1.2.82mdk.i586.rpm
baa534caf5c7121741a7089e11cd169e
mnf8.2/RPMS/openssh-clients-3.6.1p2-1.2.82mdk.i586.rpm
6f0b03ff0dd99857159177d3e797e916
mnf8.2/RPMS/openssh-server-3.6.1p2-1.2.82mdk.i586.rpm
d6fd51341f521dc7fc2086915dcaec20
mnf8.2/SRPMS/openssh-3.6.1p2-1.2.82mdk.src.rpm
________________________________________________________________________
Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
________________________________________________________________________
To upgrade automatically, use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
All packages are signed by MandrakeSoft for security. You can obtain
the GPG public key of the Mandrake Linux Security Team by executing:
gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98
Please be aware that sometimes it takes the mirrors a few hours to
update.
You can view other update advisories for Mandrake Linux at:
http://www.mandrakesecure.net/en/advisories/
MandrakeSoft has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by
visiting:
http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/aIYrmqjQ0CJFipgRAkuzAKCZtNMVd9LqiR0CVbkz9XILvIB4hACeIlqv
LB/u5JclV/2Ny+Cao90MLTc=
=0Nsc
-----END PGP SIGNATURE-----