[Full-Disclosure] [OpenPKG-SA-2003.042] OpenPKG Security Advisory (openssh)

• Previous message: Jim Quantrell: "[Fwd: Re: [Full-Disclosure] Petition against VeriSlime's DNS abuse]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Wed, 24 Sep 2003 13:28:32 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security@openpkg.org openpkg@openpkg.org
OpenPKG-SA-2003.042 24-Sep-2003
________________________________________________________________________

Package: openssh
Vulnerability: remote root exploit
OpenPKG Specific: no

Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= openssh-3.7.1p1-20030917 >= openssh-3.7.1p2-20030923
OpenPKG 1.3 none N.A.
OpenPKG 1.2 none N.A.

Dependent Packages: none

Description:
  According to a OpenSSH Security Advisory [0], versions 3.7p1 and
  3.7.1p1 of OpenSSH [1] contain multiple vulnerabilities in its
  Pluggable Authentication Modules (PAM) related code. At least one
  of these bugs is remotely exploitable if Privilege Separation is
  disabled and PAM support is enabled. Older versions of OpenSSH are not
  vulnerable. OpenPKG installations are only affected if the package was
  built with option "with_pam" set to "yes" -- which is not the default.

  The Common Vulnerabilities and Exposures (CVE) project assigned
  the id CAN-2003-0786 [2] to the problem where SSH1 PAM challenge
  response authentication ignored the result of the authentication with
  Privilege Separation off. The Common Vulnerabilities and Exposures
  (CVE) project assigned the id CAN-2003-0787 [3] to the problem where
  the PAM conversation function trashed the stack.

  Please check whether you are affected by running "<prefix>/bin/rpm -q
  openssh". If you have the "openssh" package installed and its version
  is affected (see above), we recommend that you immediately upgrade it
  (see Solution). [4][5]

Solution:
  Select the updated source RPM appropriate for OpenPKG CURRENT [6]
  (or any later version), fetch it from the OpenPKG FTP service [7]
  or a mirror location, build a corresponding binary RPM from it [4]
  and update your OpenPKG installation by applying the binary RPM [5].
  Perform the following operations to permanently fix the security
  problem.

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd current/SRC
  ftp> get openssh-3.7.1p2-20030923.src.rpm
  ftp> bye
  $ <prefix>/bin/rpm --rebuild openssh-3.7.1p2-20030923.src.rpm
  $ su -
  # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/openssh-3.7.1p2-20030923.*.rpm
________________________________________________________________________

References:
  [0] http://www.openssh.com/txt/sshpam.adv
  [1] http://www.openssh.com/
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0786
  [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0787
  [4] http://www.openpkg.org/tutorial.html#regular-source
  [5] http://www.openpkg.org/tutorial.html#regular-binary
  [6] ftp://ftp.openpkg.org/current/SRC/openssh-3.7.1p2-20030923.src.rpm
  [7] ftp://ftp.openpkg.org/current/SRC/
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@openpkg.org>

iD8DBQE/cX+AgHWT4GPEy58RAp3JAJ46cRQk51b2jBpvZZEswymlFQOT4gCguLGT
JAo61VhgBMZZLPFoqOhET/A=
=nd/0
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Jim Quantrell: "[Fwd: Re: [Full-Disclosure] Petition against VeriSlime's DNS abuse]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [OpenPKG-SA-2004.051] OpenPKG Security Advisory (imapd) ... The updated OpenPKG packages fix ... Common Vulnerabilities and Exposures project assigned the id ... The Common Vulnerabilities and Exposures (CVE) project assigned the id ... $ ftp ftp.openpkg.org ... (Bugtraq) [Full-Disclosure] [OpenPKG-SA-2004.051] OpenPKG Security Advisory (imapd) ... The updated OpenPKG packages fix ... Common Vulnerabilities and Exposures project assigned the id ... The Common Vulnerabilities and Exposures (CVE) project assigned the id ... $ ftp ftp.openpkg.org ... (Full-Disclosure) [OpenPKG-SA-2004.045] OpenPKG Security Advisory (mysql) ... Affected Releases: Dependent Packages: ... Several vulnerabilities including privilege abuse, Denial of Service, ... Select the updated source RPM appropriate for your OpenPKG release ... $ ftp ftp.openpkg.org ... (Bugtraq) [Full-Disclosure] [OpenPKG-SA-2004.045] OpenPKG Security Advisory (mysql) ... Affected Releases: Dependent Packages: ... Several vulnerabilities including privilege abuse, Denial of Service, ... Select the updated source RPM appropriate for your OpenPKG release ... $ ftp ftp.openpkg.org ... (Full-Disclosure) [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache) ... With the release of the Apache HTTP Server version 1.3.31, ... administrators viewing the error logs) containing vulnerabilities ... Select the updated source RPM appropriate for your OpenPKG release ... $ ftp ftp.openpkg.org ... (Bugtraq)