Security Update: [CSSA-2002-012.0] Linux: OpenSSH channel code vulnerability

From: security@caldera.com
Date: 03/29/02 

To: bugtraq@securityfocus.com, announce@lists.caldera.com, security-alerts@linuxsecurity.com
From: security@caldera.com
Date: Fri, 29 Mar 2002 11:56:23 -0800

To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com

______________________________________________________________________________
                   Caldera International, Inc. Security Advisory

Subject: Linux: OpenSSH channel code vulnerability
Advisory number: CSSA-2002-012.0
Issue date: 2002, March 28
Cross reference:
______________________________________________________________________________

1. Problem Description

   A bug exists in the channel code of OpenSSH versions 2.0 though 3.0.2.
   Existing users can use this bug to gain root privileges. The ability
   to exploit this vulnerability without an existing user account has not
   yet been proven, but it is considered possible. A malicious ssh server
   could also use this bug to exploit a connecting vulnerable client.

2. Vulnerable Supported Versions

   System Package
   -----------------------------------------------------------
   OpenLinux Server 3.1 All packages previous to
                                 openssh-2.9p2
   
   OpenLinux Workstation 3.1 All packages previous to
                                 openssh-2.9p2
   
   OpenLinux Server 3.1.1 All packages previous to
                                 openssh-2.9.9p2
   
   OpenLinux Workstation All packages previous to
   3.1.1 openssh-2.9.9p2
   

3. Solution

   Workaround

     none

   The proper solution is to upgrade to the latest packages.

4. OpenLinux 3.1 Server

    4.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

   4.2 Verification

       f628846edca7e40cebf0174d4a02abb9 RPMS/openssh-2.9p2-5.i386.rpm
       
   4.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh openssh-2.9p2-5.i386.rpm
         

5. OpenLinux 3.1 Workstation

    5.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

   5.2 Verification

       f628846edca7e40cebf0174d4a02abb9 RPMS/openssh-2.9p2-5.i386.rpm
       
   5.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh openssh-2.9p2-5.i386.rpm
         

6. OpenLinux 3.1.1 Server

    6.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

   6.2 Verification

       523a21268ec04feb84feaf8a8b41bb3c RPMS/openssh-2.9.9p2-3.i386.rpm
       
   6.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh openssh-2.9.9p2-3.i386.rpm
         

7. OpenLinux 3.1.1 Workstation

    7.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

   7.2 Verification

       523a21268ec04feb84feaf8a8b41bb3c RPMS/openssh-2.9.9p2-3.i386.rpm
       
   7.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh openssh-2.9.9p2-3.i386.rpm
         

8. References

   Specific references for this advisory:

        none

   Caldera OpenLinux security resources:

        http://www.caldera.com/support/security/index.html

   Caldera UNIX security resources:

        http://stage.caldera.com/support/security/

   This security fix closes Caldera incidents sr861333, fz520313,
   erg711982.

9. Disclaimer

   Caldera International, Inc. is not responsible for the misuse of
   any of the information we provide on this website and/or through
   our security advisories. Our advisories are a service to our
   customers intended to promote secure installation and use of
   Caldera International products.

10. Acknowledgements

   Joost Pol <joost@pine.nl> discovered and researched this vulnerability.
______________________________________________________________________________

Relevant Pages