--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated openssh packages fix security issues Advisory ID: FLSA:168935 Issue date: 2006-02-18 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-2069 CVE-2006-0225 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated openssh packages that fix security issues are now available. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH replaces rlogin and rsh, and provides secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over a secure channel. Public key authentication can be used for "passwordless" access to servers. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: A bug was found in the way the OpenSSH server handled the MaxStartups and LoginGraceTime configuration variables. A malicious user could connect to the SSH daemon in such a way that it would prevent additional logins from occuring until the malicious connections are closed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-2069 to this issue. The scp command was found to expose filenames twice to shell expansion. A malicious user could execute arbitrary commands by using specially crafted filenames containing shell metacharacters or spaces. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-0225 to this issue. Users of openssh should upgrade to these updated packages, which contain backported patches to resolve these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168935 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/openssh-3.1p1-14.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-3.1p1-14.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-askpass-3.1p1-14.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-askpass-gnome-3.1p1-14.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-clients-3.1p1-14.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-server-3.1p1-14.3.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/openssh-3.5p1-11.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-3.5p1-11.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-askpass-3.5p1-11.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-askpass-gnome-3.5p1-11.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-clients-3.5p1-11.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-server-3.5p1-11.4.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/openssh-3.6.1p2-19.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-3.6.1p2-19.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-askpass-3.6.1p2-19.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-askpass-gnome-3.6.1p2-19.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-clients-3.6.1p2-19.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-server-3.6.1p2-19.4.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/openssh-3.6.1p2-34.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/openssh-3.6.1p2-34.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/openssh-askpass-3.6.1p2-34.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/openssh-askpass-gnome-3.6.1p2-34.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/openssh-clients-3.6.1p2-34.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/openssh-server-3.6.1p2-34.4.legacy.i386.rpm Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/openssh-3.9p1-8.0.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/openssh-3.9p1-8.0.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/openssh-askpass-3.9p1-8.0.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/openssh-askpass-gnome-3.9p1-8.0.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/openssh-clients-3.9p1-8.0.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/openssh-server-3.9p1-8.0.4.legacy.i386.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/openssh-3.9p1-8.0.4.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/openssh-askpass-3.9p1-8.0.4.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/openssh-askpass-gnome-3.9p1-8.0.4.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/openssh-clients-3.9p1-8.0.4.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/openssh-server-3.9p1-8.0.4.legacy.x86_64.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 5c732eac2396d1dbc767c6706b936177b04e3ba9 redhat/7.3/updates/i386/openssh-3.1p1-14.3.legacy.i386.rpm ac522209cbabd3638e8ca2b08bdf5453c1d9a8d4 redhat/7.3/updates/i386/openssh-askpass-3.1p1-14.3.legacy.i386.rpm a79e45b1fd78f517a2dfb846e1814aeff35ab86d redhat/7.3/updates/i386/openssh-askpass-gnome-3.1p1-14.3.legacy.i386.rpm daa5d5518e33835ef47f41f3bb379d9659e2bc3f redhat/7.3/updates/i386/openssh-clients-3.1p1-14.3.legacy.i386.rpm 28d3e3a66e6c786db875c5ea8d629b6abcc7fe5b redhat/7.3/updates/i386/openssh-server-3.1p1-14.3.legacy.i386.rpm d838db35baa90040dec9df7459af4682f8976b7a redhat/7.3/updates/SRPMS/openssh-3.1p1-14.3.legacy.src.rpm 2e4da4da715512dccb420fc67f3bb24dae2d9a40 redhat/9/updates/i386/openssh-3.5p1-11.4.legacy.i386.rpm af36bd2aa23d16986072cf15c6906add540f8b8a redhat/9/updates/i386/openssh-askpass-3.5p1-11.4.legacy.i386.rpm 0cc2cf34bde4b876944c8f19c1cd58d9f4503757 redhat/9/updates/i386/openssh-askpass-gnome-3.5p1-11.4.legacy.i386.rpm f0e967606a821ec50f6d0af708935a9f04b52d11 redhat/9/updates/i386/openssh-clients-3.5p1-11.4.legacy.i386.rpm d49d40f814c95319dff11a49f8bb66dcdd3f808c redhat/9/updates/i386/openssh-server-3.5p1-11.4.legacy.i386.rpm 38544ce3e39dbebcb15ce213f4aff9bf3edb93a7 redhat/9/updates/SRPMS/openssh-3.5p1-11.4.legacy.src.rpm c962909e215becff41ab14353a0b1ef3f5a499fd fedora/1/updates/i386/openssh-3.6.1p2-19.4.legacy.i386.rpm 61ca655031b498ba8c66a97f0792c4f9dbd0f795 fedora/1/updates/i386/openssh-askpass-3.6.1p2-19.4.legacy.i386.rpm 0201fe8254733f85cde19e17911015c38ae6f8fa fedora/1/updates/i386/openssh-askpass-gnome-3.6.1p2-19.4.legacy.i386.rpm 3818241e59db35fe61773f7e59d9d83fafd4b16a fedora/1/updates/i386/openssh-clients-3.6.1p2-19.4.legacy.i386.rpm 202bec4605eaf6054433a170a6432a3d449862cb fedora/1/updates/i386/openssh-server-3.6.1p2-19.4.legacy.i386.rpm e5b385dbba09ec63225c2eb25e22827d0e6fd789 fedora/1/updates/SRPMS/openssh-3.6.1p2-19.4.legacy.src.rpm ca85182633a97ce1bb8c3bcb683d44242881703f fedora/2/updates/i386/openssh-3.6.1p2-34.4.legacy.i386.rpm f49c8368fe790df101b671a368f0ff47fdc0fad3 fedora/2/updates/i386/openssh-askpass-3.6.1p2-34.4.legacy.i386.rpm 281fe61d517ebff0a297cd4c6342c398debcd33f fedora/2/updates/i386/openssh-askpass-gnome-3.6.1p2-34.4.legacy.i386.rpm d25c9ca4c55732cc3368587cfd6b4b7629c52ee8 fedora/2/updates/i386/openssh-clients-3.6.1p2-34.4.legacy.i386.rpm ec570330a25c600803dd2f88ff140726a66d3c7e fedora/2/updates/i386/openssh-server-3.6.1p2-34.4.legacy.i386.rpm 4bf28b7a7d7a9fad922b6a1e96a0433320cab26e fedora/2/updates/SRPMS/openssh-3.6.1p2-34.4.legacy.src.rpm 75001fc461867ff3b5f608423de99b5c0d9705e6 fedora/3/updates/i386/openssh-3.9p1-8.0.4.legacy.i386.rpm e4a4bfc7866e2ace0c9b0a0a3b4598e9594fd6ae fedora/3/updates/i386/openssh-askpass-3.9p1-8.0.4.legacy.i386.rpm 4df1fe9ad8bfcdee35dcddbc9fb124e513718275 fedora/3/updates/i386/openssh-askpass-gnome-3.9p1-8.0.4.legacy.i386.rpm f53b372fcab1724ac8a073aebc9b04718439c894 fedora/3/updates/i386/openssh-clients-3.9p1-8.0.4.legacy.i386.rpm 8b800276ec20d03452cf1e39883315baa9c7a7df fedora/3/updates/i386/openssh-server-3.9p1-8.0.4.legacy.i386.rpm 61a70c9f0cf6c152fb7f48c5857b5e002dc0527a fedora/3/updates/x86_64/openssh-3.9p1-8.0.4.legacy.x86_64.rpm b8e38615db4f431c1e87204a0ecaefbabde2479b fedora/3/updates/x86_64/openssh-askpass-3.9p1-8.0.4.legacy.x86_64.rpm 5cd606345fb8b3ba1f7c1d6f005d18c50d0886bd fedora/3/updates/x86_64/openssh-askpass-gnome-3.9p1-8.0.4.legacy.x86_64.rpm db5f2a76871dc0e6987702a492ad84252a5211c4 fedora/3/updates/x86_64/openssh-clients-3.9p1-8.0.4.legacy.x86_64.rpm 18f578efebdc634ee6ab363064f9ac8d81fa5cf0 fedora/3/updates/x86_64/openssh-server-3.9p1-8.0.4.legacy.x86_64.rpm 8dc6ca866a0a5d0e2c01f4b898bbaa798399fa40 fedora/3/updates/SRPMS/openssh-3.9p1-8.0.4.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2069 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature