This advisory is an update to DSA-134-2: the changes mainly deal with
packaging issues; if you have already successfully installed an
openssh package from a previous DSA-134 advisory you may disregard
this message.
|
|
-----BEGIN PGP SIGNED MESSAGE-----
- ------------------------------------------------------------------------
Debian Security Advisory DSA-134-2 security@debian.org
http://www.debian.org/security/ Michael Stone
June 25, 2002
- ------------------------------------------------------------------------
Package : ssh
Problem type : remote exploit
Debian-specific: no
This advisory is an update to DSA-134-2: the changes mainly deal with
packaging issues; if you have already successfully installed an
openssh package from a previous DSA-134 advisory you may disregard
this message.
Theo de Raadt announced that the OpenBSD team is working with ISS to
address a remote exploit for OpenSSH (a free implementation of the
Secure SHell protocol). They are refusing to provide any details on
the vulnerability but instead are advising users to upgrade to the
latest release, version 3.3.
This version was released 22 Jun 2002 and enabled by default a feature
called privilege seperation, in order to minimize the effect of
exploits in the ssh network handling code. Unfortunately this release
has a few known problems:
* compression does not work on all operating systems since the code
relies on specific mmap features
* the PAM support has not been completed and may break a few PAM modules
* keyboard interactive authentication does not work with privilege
seperation. Most noticable for Debian users this breaks PAM modules
which need a PAM conversation function (like the OPIE module).
The new privilege separation support from Niels Provos changes ssh to
use a separate non-privileged process to handle most of the work. This
means that any vulnerability in this part of OpenSSH can never lead to
a root compromise but only to compromise of an unprivileged account
restricted to a chroot.
Theo made it very clear that this new version does not fix the
vulnerability. Instead, using the new privilege separation code
mitigates the vulnerability since the attacker can only gain access to
that unprivileged chroot'd account.
Since details of the problem have not been released, the move to the
latest release of OpenSSH portable, version 3.3p1, is the only known
method of mitigating the risk of the reported vulnerability.
Please note that we have not had the time to do proper QA on these
packages; they might contain bugs or break things unexpectedly. If you
notice any such problems (besides the ones mentioned in this advisory)
please file a bug-report so we can investigate.
Some notes on possible issues associated with this upgrade:
* This package introduce a new account called `sshd' that is used in
the privilege separation code. If no sshd account exists the package
will try to create one. If the account already exists it will be
re-used. If you do not want this to happen you will have to fix this
manually.
* (relevant for potato only) This update adds a backport of version
0.9.6c of the SSL library. This means you will have to upgrade the
ssl package as well.
* (relevant for potato only) This update defaults to using version 2
of the SSH protocol. This can break existing setups where RSA
authentication is used. You will either have to
- add -1 to the ssh invocation to keep using SSH protocol 1 and
your existing keys, or
- change the Protocol line in /etc/ssh/ssh_config and/or
/etc/ssh/sshd_config to "Protocol 1,2" to try protocol 1 before
protocol 2, or
- create new rsa or dsa keys for SSH protocol 2
* sshd defaults to enabling privilege seperation, even if you do not
explicitly enable it in /etc/ssh/sshd_config . Again, unless you have
"UsePrivilegeSeparation no" in your sshd_config, you will be using
privilege seperation with this package.
* If ssh does not work for you you can try to disable compression. We
included a patch from Solar Designer which should fix the problem
with Linux 2.2 kernels, but there might be a few cases where this is
not sufficient.
* (relevant for potato only) Privilege seperation does not currently
work with Linux 2.0 kernels
* If for some reason you cannot use privilege seperation (e.g.,
because you are running a 2.0 kernel) but have already installed the
openssh 3.3p1 package, you can revert to previous behavior by adding
"UsePrivilegeSeparation no" to your /etc/ssh/sshd_config file. *Note
that disabling privilege seperation will leave you vulnerable to the
security problem described in this advisory and should only be done on
an emergency basis.*
Some issues from previous openssh 3.3p1 packages corrected in this
advisory (not a complete changelog):
* (relevant for potato only) the installation question, "[do you want
to allow protocol 2 only" no longer defaults to "yes". Users who
answered yes to this question and also chose to regenerate their
sshd_config file found that they could no longer connect to their
server via protocol 1. See /usr/doc/ssh/README.Debian for instructions
on how to enable protocol 1 if caught in this situation.
* (relevant for potato only) the ssh package no longer conflicts with
rsh-server, nor does it provide an rsh alternative
* installation will no longer fail if users choose to generate
protocol 1 keys
Again, we regret having to release packages with larger changes and
less testing than is our usual practice; given the potential severity
and non-specific nature of the threat we decided that our users were
best served by having packages available for evaluation as quickly as
possible. We will send additional information as it comes to us, and
will continue to work on the outstanding issues.
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
Debian GNU/Linux 2.2 alias potato
- ---------------------------------
Potato was released for alpha, arm, i386, m68k, powerpc and sparc
Packages for m68k are not available at this moment.
Source archives:
http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0potato6.diff.gz
Size/MD5 checksum: 33694 8b83048b2bd7838703aaba40ae119810
http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1.orig.tar.gz
Size/MD5 checksum: 831189 226fdde5498c56288e777c7a697996e0
http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0potato6.dsc
Size/MD5 checksum: 871 bc2713452395932dc716df3cdb55a905
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1.diff.gz
Size/MD5 checksum: 37925 718ffc86669ae06b22d77c659400f4e8
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1.dsc
Size/MD5 checksum: 784 b197de235e0d10f7bb66b4751808a033
Architecture independent packages:
http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-0.potato.1_all.deb
Size/MD5 checksum: 976 6b39f5a320b1c8bdbba05e2c8b041b70
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato6_alpha.deb
Size/MD5 checksum: 863748 ae52add3e16fa3ac768c6f90851061ef
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato6_alpha.deb
Size/MD5 checksum: 33204 b37dfcf4220fa0f56621aea9ea57a29e
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_alpha.deb
Size/MD5 checksum: 589696 f0263fe6848b8bd09ad07a370ed6310a
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_alpha.deb
Size/MD5 checksum: 746344 5a06b3db8f6eabf063c3099cb539ffe9
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_alpha.deb
Size/MD5 checksum: 1548926 377068d478722db72c2fe52f3c23312b
arm architecture (ARM)
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato6_arm.deb
Size/MD5 checksum: 661912 e0f863a5d9ea719440ddfd7cd46e0f2b
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato6_arm.deb
Size/MD5 checksum: 32424 2127978be04489fddd033dcbe1b8200c
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_arm.deb
Size/MD5 checksum: 468106 c1dc499d7a06db8e831906f942d1192e
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_arm.deb
Size/MD5 checksum: 1348440 7fb0b6f32b6eb2dfc78391a302bd0e02
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_arm.deb
Size/MD5 checksum: 728932 0a9872153979c364d41208082c80772d
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato6_i386.deb
Size/MD5 checksum: 32722 5ae7edb8eb38e4b01eeae2b080953dc7
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato6_i386.deb
Size/MD5 checksum: 640376 7b9926d3bb35f65150e7f2be01da8b66
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_i386.deb
Size/MD5 checksum: 1290006 362451bafdf4fe2104e54a0336893519
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_i386.deb
Size/MD5 checksum: 461994 a1c785ce6982b9031410362f124d873a
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_i386.deb
Size/MD5 checksum: 730338 747306c7e4ef0b767cb2985b74047b05
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato6_powerpc.deb
Size/MD5 checksum: 32418 26a91d2f170eff0dbd68810de496bffd
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato6_powerpc.deb
Size/MD5 checksum: 680472 c3d312c2bc0866c7ed66be67964386d1
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_powerpc.deb
Size/MD5 checksum: 726602 93f47a77404ad9164565aac7ff901e43
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_powerpc.deb
Size/MD5 checksum: 1384596 ff8ce54bc5fa3e0913ad1f359c36161b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_powerpc.deb
Size/MD5 checksum: 502776 a09451aa914242e199eb8e5de529ec26
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato6_sparc.deb
Size/MD5 checksum: 35274 fc253370c6c9982015458b5dccc73f66
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato6_sparc.deb
Size/MD5 checksum: 687500 ad2e133fa6e3b1878f0a099748c541e6
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_sparc.deb
Size/MD5 checksum: 1338558 812adef25bd5abab26c47451dde84ba8
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_sparc.deb
Size/MD5 checksum: 482712 d821248f15cc4e1fa6574e4cdfdf02e0
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_sparc.deb
Size/MD5 checksum: 738056 d27a607775a80eb4aba24d29b35fe6ff
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Woody will be released for alpha, arm, hppa, i386, ia64, m68k, mips,
mipsel, powerpc, s390 and sparc. Packages for m68k are not available
at this moment.
Source archives:
http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0woody4.dsc
Size/MD5 checksum: 815 9b2d9ce52d08a1578edbfda9617231d9
http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1.orig.tar.gz
Size/MD5 checksum: 831189 226fdde5498c56288e777c7a697996e0
http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0woody4.diff.gz
Size/MD5 checksum: 34040 778ca8992b1bf7057d07f12018fb5bb3
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody4_alpha.deb
Size/MD5 checksum: 844780 48ba4028203c023213718f87b1bfa537
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody4_alpha.deb
Size/MD5 checksum: 33604 15a9c4de1b4957c6a30046adc085adac
arm architecture (ARM)
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody4_arm.deb
Size/MD5 checksum: 653722 1a468897f1b4752fce130ae3f12034b2
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody4_arm.deb
Size/MD5 checksum: 32830 34b2f0346a718c69aeaa87a15ca6773b
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody4_i386.deb
Size/MD5 checksum: 33114 74c669d2646536853e044b13e62a2567
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody4_i386.deb
Size/MD5 checksum: 638128 728e289d717ecc7c3a55d45091f3449e
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody4_ia64.deb
Size/MD5 checksum: 998226 2fe4594fc8c748745f4f066a99195c04
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody4_ia64.deb
Size/MD5 checksum: 34568 9bd4d13b6e9c364f650b0ab99bf007ba
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody4_mipsel.deb
Size/MD5 checksum: 722614 b31db1cd4c9599aa9ba83c904c5c39d7
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody4_mipsel.deb
Size/MD5 checksum: 33082 6f7ac7c2ecbd39ceb5d243854197f1c5
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody4_powerpc.deb
Size/MD5 checksum: 32856 b6827c0d4bef215ab5661fa16b637f32
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody4_powerpc.deb
Size/MD5 checksum: 677164 143803bd2413ee67886706246717734d
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody4_sparc.deb
Size/MD5 checksum: 32902 5af151b5d6ccf438fd6e07c763de3d4a
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody4_sparc.deb
Size/MD5 checksum: 681752 d1b5c205d58d495573b51a98a13a96df
- --
- ----------------------------------------------------------------------------
apt-get: deb http://security.debian.org/ stable/updates main
dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iQCVAwUBPRk5QA0hVr09l8FJAQHTNQP/ScD97wpZxX3gFtou5xILY+L/Kl664SuM
i85mUYvxAYZco6QMdbvUQ3tsMowLC/L9wN2oZN+EcqcDtvmZN2VVl73NxszsRHb1
QgxQV2xkuVfc+aKl4D1BAYpzBtKS0BUSvBzrUR8KEd/mm4BdRA6OeUp/SiWtAoCw
byzXf5Z7EFM=
=nAYz
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|