Mandrake alert: Updated openssh packages fix buffer management error

Posted by dave on Sep 17, 2003 8:02 AM EDT
Mailing list
Mail this story
Print this story

A buffer management error was discovered in all versions of openssh prior to version 3.7. According to the OpenSSH team's advisory: "It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively." There have also been reports of an exploit in the wild.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

                Mandrake Linux Security Update Advisory
________________________________________________________________________

Package name:           openssh
Advisory ID:            MDKSA-2003:090-1
Date:                   September 17th, 2003
Original Advisory Date: September 16th, 2003
Affected versions:	8.2, 9.0, 9.1, Corporate Server 2.1,
			Multi Network Firewall 8.2
________________________________________________________________________

Problem Description:

 A buffer management error was discovered in all versions of openssh
 prior to version 3.7.  According to the OpenSSH team's advisory:
 "It is uncertain whether this error is potentially exploitable,
 however, we prefer to see bugs fixed proactively."  There have also
 been reports of an exploit in the wild.
 
 MandrakeSoft encourages all users to upgrade to these patched openssh
 packages immediately and to disable sshd until you are able to upgrade
 if at all possible.
  
Update:

 The OpenSSH developers discovered more, similar, problems and revised
 the patch to correct these issues.  These new packages have the latest
 patch fix applied.
________________________________________________________________________

References:
  
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0695
  http://www.kb.cert.org/vuls/id/333628
  http://www.openssh.com/txt/buffer.adv
________________________________________________________________________

Updated Packages:
  
 Corporate Server 2.1:
 e4dd6a2be580feeceddb7bf702646992  corporate/2.1/RPMS/openssh-3.6.1p2-1.2.90mdk.i586.rpm
 b643425ed773606865f31797db73b6d5  corporate/2.1/RPMS/openssh-askpass-3.6.1p2-1.2.90mdk.i586.rpm
 bf403b678dd74c14c489bf5a32939e80  corporate/2.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.90mdk.i586.rpm
 c4ec1f56320d69a37455d4f74da30d2d  corporate/2.1/RPMS/openssh-clients-3.6.1p2-1.2.90mdk.i586.rpm
 0252fc0a7273c7c2ebbe4ae92fe492c6  corporate/2.1/RPMS/openssh-server-3.6.1p2-1.2.90mdk.i586.rpm
 8909a7349c3e18993784900e1c501dc8  corporate/2.1/SRPMS/openssh-3.6.1p2-1.2.90mdk.src.rpm

 Corporate Server 2.1/x86_64:
 7a297d5ad1cf8f266a7045e5ed6407b4  x86_64/corporate/2.1/RPMS/openssh-3.6.1p2-1.2.90mdk.x86_64.rpm
 0e1047d7ac87e4cb2fc83f51156f89e8  x86_64/corporate/2.1/RPMS/openssh-askpass-3.6.1p2-1.2.90mdk.x86_64.rpm
 09592be1376bff2acb58577eb22927e5  x86_64/corporate/2.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.90mdk.x86_64.rpm
 cb39634d5cb6811a53e833a566dca625  x86_64/corporate/2.1/RPMS/openssh-clients-3.6.1p2-1.2.90mdk.x86_64.rpm
 2e49b64404318ee3c10f7088781f36da  x86_64/corporate/2.1/RPMS/openssh-server-3.6.1p2-1.2.90mdk.x86_64.rpm
 8909a7349c3e18993784900e1c501dc8  x86_64/corporate/2.1/SRPMS/openssh-3.6.1p2-1.2.90mdk.src.rpm

 Mandrake Linux 8.2:
 862ccaea668653af1dd98d4f4cba388e  8.2/RPMS/openssh-3.6.1p2-1.2.82mdk.i586.rpm
 abb351c902abd9bcfc7eefd0d8e56b43  8.2/RPMS/openssh-askpass-3.6.1p2-1.2.82mdk.i586.rpm
 614a6bd4680be732689f5bd1e791a351  8.2/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.82mdk.i586.rpm
 baa534caf5c7121741a7089e11cd169e  8.2/RPMS/openssh-clients-3.6.1p2-1.2.82mdk.i586.rpm
 6f0b03ff0dd99857159177d3e797e916  8.2/RPMS/openssh-server-3.6.1p2-1.2.82mdk.i586.rpm
 d6fd51341f521dc7fc2086915dcaec20  8.2/SRPMS/openssh-3.6.1p2-1.2.82mdk.src.rpm

 Mandrake Linux 8.2/PPC:
 c453de5cac92707c112c9245663fd25c  ppc/8.2/RPMS/openssh-3.6.1p2-1.2.82mdk.ppc.rpm
 48211a23e464b38ebd4e7deed7347f48  ppc/8.2/RPMS/openssh-askpass-3.6.1p2-1.2.82mdk.ppc.rpm
 77d27118abff6a1d6c0f57c167fefb52  ppc/8.2/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.82mdk.ppc.rpm
 b58b03854614f14c861f42121d165a2b  ppc/8.2/RPMS/openssh-clients-3.6.1p2-1.2.82mdk.ppc.rpm
 9c477dda47eab7cad24839d0ea43e6a4  ppc/8.2/RPMS/openssh-server-3.6.1p2-1.2.82mdk.ppc.rpm
 d6fd51341f521dc7fc2086915dcaec20  ppc/8.2/SRPMS/openssh-3.6.1p2-1.2.82mdk.src.rpm

 Mandrake Linux 9.0:
 e4dd6a2be580feeceddb7bf702646992  9.0/RPMS/openssh-3.6.1p2-1.2.90mdk.i586.rpm
 b643425ed773606865f31797db73b6d5  9.0/RPMS/openssh-askpass-3.6.1p2-1.2.90mdk.i586.rpm
 bf403b678dd74c14c489bf5a32939e80  9.0/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.90mdk.i586.rpm
 c4ec1f56320d69a37455d4f74da30d2d  9.0/RPMS/openssh-clients-3.6.1p2-1.2.90mdk.i586.rpm
 0252fc0a7273c7c2ebbe4ae92fe492c6  9.0/RPMS/openssh-server-3.6.1p2-1.2.90mdk.i586.rpm
 8909a7349c3e18993784900e1c501dc8  9.0/SRPMS/openssh-3.6.1p2-1.2.90mdk.src.rpm

 Mandrake Linux 9.1:
 2f657dd739f51adad400b75e627db53a  9.1/RPMS/openssh-3.6.1p2-1.2.91mdk.i586.rpm
 2284741fdae6b3809b85f1f193dc9c7b  9.1/RPMS/openssh-askpass-3.6.1p2-1.2.91mdk.i586.rpm
 3462362cb6364701bfe536541f24d349  9.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.91mdk.i586.rpm
 5a8b2d3763dfc4dd77c7705401b4155e  9.1/RPMS/openssh-clients-3.6.1p2-1.2.91mdk.i586.rpm
 508f52a1bc06e57b5176c31dc7d1674b  9.1/RPMS/openssh-server-3.6.1p2-1.2.91mdk.i586.rpm
 4d9c124f212d3ad840bc19f6579784fc  9.1/SRPMS/openssh-3.6.1p2-1.2.91mdk.src.rpm

 Mandrake Linux 9.1/PPC:
 bf558d8fba0c8f779f73e8a3f75956d8  ppc/9.1/RPMS/openssh-3.6.1p2-1.2.91mdk.ppc.rpm
 ca0ff77a847d5485cf03e4abb1fc7a88  ppc/9.1/RPMS/openssh-askpass-3.6.1p2-1.2.91mdk.ppc.rpm
 4c45f30751958b8347713b818a55caf1  ppc/9.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.91mdk.ppc.rpm
 e7912e06b6bf2579badac32f583d8511  ppc/9.1/RPMS/openssh-clients-3.6.1p2-1.2.91mdk.ppc.rpm
 809424b2dd19bd2f654fdf4743fc5a8b  ppc/9.1/RPMS/openssh-server-3.6.1p2-1.2.91mdk.ppc.rpm
 4d9c124f212d3ad840bc19f6579784fc  ppc/9.1/SRPMS/openssh-3.6.1p2-1.2.91mdk.src.rpm

 Multi Network Firewall 8.2:
 862ccaea668653af1dd98d4f4cba388e  mnf8.2/RPMS/openssh-3.6.1p2-1.2.82mdk.i586.rpm
 baa534caf5c7121741a7089e11cd169e  mnf8.2/RPMS/openssh-clients-3.6.1p2-1.2.82mdk.i586.rpm
 6f0b03ff0dd99857159177d3e797e916  mnf8.2/RPMS/openssh-server-3.6.1p2-1.2.82mdk.i586.rpm
 d6fd51341f521dc7fc2086915dcaec20  mnf8.2/SRPMS/openssh-3.6.1p2-1.2.82mdk.src.rpm
________________________________________________________________________

Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
________________________________________________________________________

To upgrade automatically, use MandrakeUpdate or urpmi.  The verification
of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

  http://www.mandrakesecure.net/en/ftp.php

All packages are signed by MandrakeSoft for security.  You can obtain
the GPG public key of the Mandrake Linux Security Team by executing:

  gpg --recv-keys --keyserver http://www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other update advisories for Mandrake Linux at:

  http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that
anyone can subscribe to.  Information on these lists can be obtained by
visiting:

  http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/aIYrmqjQ0CJFipgRAkuzAKCZtNMVd9LqiR0CVbkz9XILvIB4hACeIlqv
LB/u5JclV/2Ny+Cao90MLTc=
=0Nsc
-----END PGP SIGNATURE-----

  Nav
» Read more about: Story Type: Security; Groups: Mandriva

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.