<<< Date Index >>>     <<< Thread Index >>>

[OpenPKG-SA-2003.042] OpenPKG Security Advisory (openssh)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security@xxxxxxxxxxx                         openpkg@xxxxxxxxxxx
OpenPKG-SA-2003.042                                          24-Sep-2003
________________________________________________________________________

Package:             openssh
Vulnerability:       remote root exploit
OpenPKG Specific:    no

Affected Releases:   Affected Packages:          Corrected Packages:
OpenPKG CURRENT      <= openssh-3.7.1p1-20030917 >= openssh-3.7.1p2-20030923
OpenPKG 1.3          none                        N.A.
OpenPKG 1.2          none                        N.A.

Dependent Packages:  none

Description:
  According to a OpenSSH Security Advisory [0], versions 3.7p1 and
  3.7.1p1 of OpenSSH [1] contain multiple vulnerabilities in its
  Pluggable Authentication Modules (PAM) related code. At least one
  of these bugs is remotely exploitable if Privilege Separation is
  disabled and PAM support is enabled. Older versions of OpenSSH are not
  vulnerable. OpenPKG installations are only affected if the package was
  built with option "with_pam" set to "yes" -- which is not the default.

  The Common Vulnerabilities and Exposures (CVE) project assigned
  the id CAN-2003-0786 [2] to the problem where SSH1 PAM challenge
  response authentication ignored the result of the authentication with
  Privilege Separation off. The Common Vulnerabilities and Exposures
  (CVE) project assigned the id CAN-2003-0787 [3] to the problem where
  the PAM conversation function trashed the stack.

  Please check whether you are affected by running "<prefix>/bin/rpm -q
  openssh". If you have the "openssh" package installed and its version
  is affected (see above), we recommend that you immediately upgrade it
  (see Solution). [4][5]

Solution:
  Select the updated source RPM appropriate for OpenPKG CURRENT [6]
  (or any later version), fetch it from the OpenPKG FTP service [7]
  or a mirror location, build a corresponding binary RPM from it [4]
  and update your OpenPKG installation by applying the binary RPM [5].
  Perform the following operations to permanently fix the security
  problem.

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd current/SRC
  ftp> get openssh-3.7.1p2-20030923.src.rpm
  ftp> bye
  $ <prefix>/bin/rpm --rebuild openssh-3.7.1p2-20030923.src.rpm
  $ su -
  # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/openssh-3.7.1p2-20030923.*.rpm
________________________________________________________________________

References:
  [0] http://www.openssh.com/txt/sshpam.adv
  [1] http://www.openssh.com/
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0786
  [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0787
  [4] http://www.openpkg.org/tutorial.html#regular-source
  [5] http://www.openpkg.org/tutorial.html#regular-binary
  [6] ftp://ftp.openpkg.org/current/SRC/openssh-3.7.1p2-20030923.src.rpm
  [7] ftp://ftp.openpkg.org/current/SRC/
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@xxxxxxxxxxx>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@xxxxxxxxxxx>

iD8DBQE/cX+AgHWT4GPEy58RAp3JAJ46cRQk51b2jBpvZZEswymlFQOT4gCguLGT
JAo61VhgBMZZLPFoqOhET/A=
=nd/0
-----END PGP SIGNATURE-----