TSLSA-2003-0033 - openssh

From: Trustix Secure Linux Advisor (tsl_at_trustix.com)
Date: 09/17/03

  • Next message: OpenPKG: "[OpenPKG-SA-2003.040] OpenPKG Security Advisory (openssh)"
    Date: Wed, 17 Sep 2003 15:43:29 +0200
    To: bugtraq@securityfocus.com

    Hash: SHA1

    - --------------------------------------------------------------------------
    Trustix Secure Linux Security Advisory #2003-0033

    Package name: openssh
    Summary: Buffer Management error
    Date: 2003-09-17
    Affected versions: TSL 1.2, 1.5, 2.0

    - --------------------------------------------------------------------------
    Package description:
      OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
      up to date in terms of security and features, as well as removing all
      patented algorithms to seperate libraries (OpenSSL).

    Problem description:
      Taken from the announcement of openssh 3.7.1:

        All versions of OpenSSH's sshd prior to 3.7.1 contain buffer management
        errors. It is uncertain whether these errors are potentially exploitable,
        however, we prefer to see bugs fixed proactively.
        OpenSSH 3.7 fixed one of these bugs.

        OpenSSH 3.7.1 fixes more similar bugs.

      The TSL team has choosen to backport these fixes into the various versions
      of openssh packaged in TSL.

      We recommend that all systems with this package installed be upgraded.
      Please note that if you do not need the functionality provided by this
      package, you may want to remove it from your system.

      All TSL updates are available from

    About Trustix Secure Linux:
      Trustix Secure Linux is a small Linux distribution for servers. With focus
      on security and stability, the system is painlessly kept safe and up to
      date from day one using swup, the automated software updater.

    Automatic updates:
      Users of the SWUP tool can enjoy having updates automatically
      installed using 'swup --upgrade'.

      Users of TSL 1.2 can get SWUP from:
      (In later versions of TSL, SWUP is included in the default installation.)

    Public testing:
      These packages have been available for public testing for some time.
      If you want to contribute by testing the various packages in the
      testing tree, please feel free to share your findings on the
      tsl-discuss mailinglist.
      The testing tree is located at

      You may also use swup for public testing of updates for TSL 2.0 and later:
      site {
          class = 0
          location = "http://snow.trustix.org/cloud/rdfs/latest.rdf"
          regexp = ".*"

      Check out our mailing lists:

      This advisory along with all TSL packages are signed with the TSL sign key.
      This key is available from:

      The advisory itself is available from the errata pages at
      <URI:http://www.trustix.net/errata/trustix-1.5/> and
      or directly at

    MD5sums of the packages:
    - --------------------------------------------------------------------------
    55d636ae51c9e355e02fd9988c78471f ./2.0/SRPMS/openssh-3.6.1p2-4tr.src.rpm
    3855df802a31aef02312537c44f24d5f ./2.0/RPMS/openssh-server-config-3.6.1p2-4tr.i586.rpm
    3b99832e6d4ee04058c69b4f8767feab ./2.0/RPMS/openssh-server-3.6.1p2-4tr.i586.rpm
    68ac388fc68fe725cb6cdd8207017c1f ./2.0/RPMS/openssh-clients-3.6.1p2-4tr.i586.rpm
    1bb394fdf22f158a4c5ce154a5284318 ./2.0/RPMS/openssh-3.6.1p2-4tr.i586.rpm
    abe0f77d98845e40d14548be63f7341c ./1.5/SRPMS/openssh-3.1.0p1-6tr.src.rpm
    9af4176b0919f9ee54e83df88248a9dd ./1.5/RPMS/openssh-server-3.1.0p1-6tr.i586.rpm
    877030c628b6986e034474068c41e139 ./1.5/RPMS/openssh-clients-3.1.0p1-6tr.i586.rpm
    d97d217516f01761d7bc610dfd07e51e ./1.5/RPMS/openssh-3.1.0p1-6tr.i586.rpm
    abe0f77d98845e40d14548be63f7341c ./1.2/SRPMS/openssh-3.1.0p1-6tr.src.rpm
    32a74b28d709f09e4752daeb52113cb3 ./1.2/RPMS/openssh-server-3.1.0p1-6tr.i586.rpm
    568a01beee4559b803d6457555850507 ./1.2/RPMS/openssh-clients-3.1.0p1-6tr.i586.rpm
    925a2a23976c90b5f046c4966c7df80b ./1.2/RPMS/openssh-3.1.0p1-6tr.i586.rpm
    - --------------------------------------------------------------------------

    Trustix Security Team

    Version: GnuPG v1.2.2 (GNU/Linux)

    -----END PGP SIGNATURE-----

  • Next message: OpenPKG: "[OpenPKG-SA-2003.040] OpenPKG Security Advisory (openssh)"

    Relevant Pages

    • TSLSA-2003-0003 - openssl
      ... Package name: openssl ... they are security related, using the redhat patches. ... All TSL updates are available from ... About Tawie Server Linux: ...
    • TSLSA-2003-0037 - proftpd
      ... Package name: proftpd ... Affected versions: TSL 1.2, 1.5, 2.0 ... ProFTPd is an enhanced FTP server with a focus toward simplicity, ... security, and ease of configuration. ...
    • TSLSA-2003-0044 - bind
      ... Trustix Secure Linux Security Advisory #2003-0044 ... Package description: ... BIND is an implementation of the DNS (Domain ... All TSL updates are available from ...
    • TSLSA-2003-0025 - apache
      ... Package name: apache ... particular note is that 2.0.47 addresses four security vulnerabilities: ... All TSL updates are available from ... About Trustix Secure Linux: ...
    • FreeBSD Security Advisory: FreeBSD-SA-01:63.openssh
      ... OpenSSH is an implementation of the SSH1 and SSH2 secure shell ... An experimental upgrade package is available for users who wish to ... Verify the detached PGP signature using your PGP utility. ... Upgrade your entire ports collection and rebuild the OpenSSH port. ...