[OpenPKG-SA-2003.042] OpenPKG Security Advisory (openssh)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security@xxxxxxxxxxx openpkg@xxxxxxxxxxx
OpenPKG-SA-2003.042 24-Sep-2003
________________________________________________________________________
Package: openssh
Vulnerability: remote root exploit
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= openssh-3.7.1p1-20030917 >= openssh-3.7.1p2-20030923
OpenPKG 1.3 none N.A.
OpenPKG 1.2 none N.A.
Dependent Packages: none
Description:
According to a OpenSSH Security Advisory [0], versions 3.7p1 and
3.7.1p1 of OpenSSH [1] contain multiple vulnerabilities in its
Pluggable Authentication Modules (PAM) related code. At least one
of these bugs is remotely exploitable if Privilege Separation is
disabled and PAM support is enabled. Older versions of OpenSSH are not
vulnerable. OpenPKG installations are only affected if the package was
built with option "with_pam" set to "yes" -- which is not the default.
The Common Vulnerabilities and Exposures (CVE) project assigned
the id CAN-2003-0786 [2] to the problem where SSH1 PAM challenge
response authentication ignored the result of the authentication with
Privilege Separation off. The Common Vulnerabilities and Exposures
(CVE) project assigned the id CAN-2003-0787 [3] to the problem where
the PAM conversation function trashed the stack.
Please check whether you are affected by running "<prefix>/bin/rpm -q
openssh". If you have the "openssh" package installed and its version
is affected (see above), we recommend that you immediately upgrade it
(see Solution). [4][5]
Solution:
Select the updated source RPM appropriate for OpenPKG CURRENT [6]
(or any later version), fetch it from the OpenPKG FTP service [7]
or a mirror location, build a corresponding binary RPM from it [4]
and update your OpenPKG installation by applying the binary RPM [5].
Perform the following operations to permanently fix the security
problem.
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd current/SRC
ftp> get openssh-3.7.1p2-20030923.src.rpm
ftp> bye
$ <prefix>/bin/rpm --rebuild openssh-3.7.1p2-20030923.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/openssh-3.7.1p2-20030923.*.rpm
________________________________________________________________________
References:
[0] http://www.openssh.com/txt/sshpam.adv
[1] http://www.openssh.com/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0786
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0787
[4] http://www.openpkg.org/tutorial.html#regular-source
[5] http://www.openpkg.org/tutorial.html#regular-binary
[6] ftp://ftp.openpkg.org/current/SRC/openssh-3.7.1p2-20030923.src.rpm
[7] ftp://ftp.openpkg.org/current/SRC/
________________________________________________________________________
For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@xxxxxxxxxxx>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@xxxxxxxxxxx>
iD8DBQE/cX+AgHWT4GPEy58RAp3JAJ46cRQk51b2jBpvZZEswymlFQOT4gCguLGT
JAo61VhgBMZZLPFoqOhET/A=
=nd/0
-----END PGP SIGNATURE-----