--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated openssh packages fix a security issue Advisory ID: FLSA:123014 Issue date: 2005-07-11 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2004-0175 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated openssh packages that fix a potential security vulnerability are now available. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH replaces rlogin and rsh, and provides secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over a secure channel. Public key authentication can be used for "passwordless" access to servers. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: The scp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses scp to copy files from a malicious server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0175 to this issue. These updated packages also correct the following bug: On systems where direct ssh access for the root user was disabled by configuration (setting "PermitRootLogin no"), attempts to guess the root password could be judged as sucessful or unsucessful by observing a delay. Users of openssh should upgrade to these updated packages, which contain backported patches to resolve these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123014 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/openssh-3.1p1-14.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-3.1p1-14.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-askpass-3.1p1-14.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-askpass-gnome-3.1p1-14.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-clients-3.1p1-14.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-server-3.1p1-14.2.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/openssh-3.5p1-11.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-3.5p1-11.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-askpass-3.5p1-11.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-askpass-gnome-3.5p1-11.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-clients-3.5p1-11.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-server-3.5p1-11.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/openssh-3.6.1p2-19.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-3.6.1p2-19.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-askpass-3.6.1p2-19.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-askpass-gnome-3.6.1p2-19.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-clients-3.6.1p2-19.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-server-3.6.1p2-19.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/openssh-3.6.1p2-34.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/openssh-3.6.1p2-34.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/openssh-askpass-3.6.1p2-34.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/openssh-askpass-gnome-3.6.1p2-34.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/openssh-clients-3.6.1p2-34.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/openssh-server-3.6.1p2-34.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 8bd4e4daf209249160c1d7f170c63b0d0f43bb54 redhat/7.3/updates/i386/openssh-3.1p1-14.2.legacy.i386.rpm d24556ae238b448fe37d0ce1afa032a743b7339b redhat/7.3/updates/i386/openssh-askpass-3.1p1-14.2.legacy.i386.rpm d7034dde021d188bbfff57b9287ea0f8dea162b0 redhat/7.3/updates/i386/openssh-askpass-gnome-3.1p1-14.2.legacy.i386.rpm b24fa1844c81632719b0ee10c5aba27e72b1ef11 redhat/7.3/updates/i386/openssh-clients-3.1p1-14.2.legacy.i386.rpm 7567b5a4c4f49ee9d247b30ae35741d3e0885f59 redhat/7.3/updates/i386/openssh-server-3.1p1-14.2.legacy.i386.rpm 93591a2b6fd1d4be2796be09e108ff301bab9baf redhat/7.3/updates/SRPMS/openssh-3.1p1-14.2.legacy.src.rpm 35820cc8261fffa5e1bbce4b22abb6075966418a redhat/9/updates/i386/openssh-3.5p1-11.2.legacy.i386.rpm b006d5c937b482b30835d4a5283683f039d2c963 redhat/9/updates/i386/openssh-askpass-3.5p1-11.2.legacy.i386.rpm 75f2303826649634880245fa13935c74bf76b8df redhat/9/updates/i386/openssh-askpass-gnome-3.5p1-11.2.legacy.i386.rpm 598d2940ce65b82de88a7e563b0450752d679d50 redhat/9/updates/i386/openssh-clients-3.5p1-11.2.legacy.i386.rpm d23f5da5bae703ee28a1de84999ce8fb4945ba20 redhat/9/updates/i386/openssh-server-3.5p1-11.2.legacy.i386.rpm 67ac403b9057d01c5bbfc0ac0d7334955086f080 redhat/9/updates/SRPMS/openssh-3.5p1-11.2.legacy.src.rpm 09ba397b8a3cdee453ab44af50470f392b1a1d9a fedora/1/updates/i386/openssh-3.6.1p2-19.2.legacy.i386.rpm a59fbcbe89778e212b4ccaa397f298ad35291020 fedora/1/updates/i386/openssh-askpass-3.6.1p2-19.2.legacy.i386.rpm d026e18b3d16d4b05d204de3aa1de9cf5e9ae756 fedora/1/updates/i386/openssh-askpass-gnome-3.6.1p2-19.2.legacy.i386.rpm 70ebb446b1cc50bb2e242af4ec04cee53aa71713 fedora/1/updates/i386/openssh-clients-3.6.1p2-19.2.legacy.i386.rpm 1af3ab8e0b843f6bf72c9061f3399ce09f674c98 fedora/1/updates/i386/openssh-server-3.6.1p2-19.2.legacy.i386.rpm cee2cbca4b9fde1534bf76c9cb46d1ddd7a30fc7 fedora/1/updates/SRPMS/openssh-3.6.1p2-19.2.legacy.src.rpm 42a086b1508853dd44be7d88e562613764c359cb fedora/2/updates/i386/openssh-3.6.1p2-34.2.legacy.i386.rpm f39c8fc529c50d0a67eedb89abb04015970a5ec2 fedora/2/updates/i386/openssh-askpass-3.6.1p2-34.2.legacy.i386.rpm 30c087e45ae7a3c6abcff83d8608d1c8d881458c fedora/2/updates/i386/openssh-askpass-gnome-3.6.1p2-34.2.legacy.i386.rpm 53851fd533168707f6f250d66506dc51769c9348 fedora/2/updates/i386/openssh-clients-3.6.1p2-34.2.legacy.i386.rpm 833ce8cf4f100a2b5b48aa77cb9d67fecba93366 fedora/2/updates/i386/openssh-server-3.6.1p2-34.2.legacy.i386.rpm c7584c616f01c21264e912e77892ebc8bbd8be29 fedora/2/updates/SRPMS/openssh-3.6.1p2-34.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0175 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature