MDKSA-2003:090-1 - Updated openssh packages fix buffer management error

From: Mandrake Linux Security Team (security_at_linux-mandrake.com)
Date: 09/17/03

  • Next message: Slackware Security Team: "[slackware-security] OpenSSH updated again (SSA:2003-260-01)"
    Date: 17 Sep 2003 16:04:59 -0000
    To: bugtraq@securityfocus.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ________________________________________________________________________

                    Mandrake Linux Security Update Advisory
    ________________________________________________________________________

    Package name: openssh
    Advisory ID: MDKSA-2003:090-1
    Date: September 17th, 2003
    Original Advisory Date: September 16th, 2003
    Affected versions: 8.2, 9.0, 9.1, Corporate Server 2.1,
                            Multi Network Firewall 8.2
    ________________________________________________________________________

    Problem Description:

     A buffer management error was discovered in all versions of openssh
     prior to version 3.7. According to the OpenSSH team's advisory:
     "It is uncertain whether this error is potentially exploitable,
     however, we prefer to see bugs fixed proactively." There have also
     been reports of an exploit in the wild.
     
     MandrakeSoft encourages all users to upgrade to these patched openssh
     packages immediately and to disable sshd until you are able to upgrade
     if at all possible.
      
    Update:

     The OpenSSH developers discovered more, similar, problems and revised
     the patch to correct these issues. These new packages have the latest
     patch fix applied.
    ________________________________________________________________________

    References:
      
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0695
      http://www.kb.cert.org/vuls/id/333628
      http://www.openssh.com/txt/buffer.adv
    ________________________________________________________________________

    Updated Packages:
      
     Corporate Server 2.1:
     e4dd6a2be580feeceddb7bf702646992 corporate/2.1/RPMS/openssh-3.6.1p2-1.2.90mdk.i586.rpm
     b643425ed773606865f31797db73b6d5 corporate/2.1/RPMS/openssh-askpass-3.6.1p2-1.2.90mdk.i586.rpm
     bf403b678dd74c14c489bf5a32939e80 corporate/2.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.90mdk.i586.rpm
     c4ec1f56320d69a37455d4f74da30d2d corporate/2.1/RPMS/openssh-clients-3.6.1p2-1.2.90mdk.i586.rpm
     0252fc0a7273c7c2ebbe4ae92fe492c6 corporate/2.1/RPMS/openssh-server-3.6.1p2-1.2.90mdk.i586.rpm
     8909a7349c3e18993784900e1c501dc8 corporate/2.1/SRPMS/openssh-3.6.1p2-1.2.90mdk.src.rpm

     Corporate Server 2.1/x86_64:
     7a297d5ad1cf8f266a7045e5ed6407b4 x86_64/corporate/2.1/RPMS/openssh-3.6.1p2-1.2.90mdk.x86_64.rpm
     0e1047d7ac87e4cb2fc83f51156f89e8 x86_64/corporate/2.1/RPMS/openssh-askpass-3.6.1p2-1.2.90mdk.x86_64.rpm
     09592be1376bff2acb58577eb22927e5 x86_64/corporate/2.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.90mdk.x86_64.rpm
     cb39634d5cb6811a53e833a566dca625 x86_64/corporate/2.1/RPMS/openssh-clients-3.6.1p2-1.2.90mdk.x86_64.rpm
     2e49b64404318ee3c10f7088781f36da x86_64/corporate/2.1/RPMS/openssh-server-3.6.1p2-1.2.90mdk.x86_64.rpm
     8909a7349c3e18993784900e1c501dc8 x86_64/corporate/2.1/SRPMS/openssh-3.6.1p2-1.2.90mdk.src.rpm

     Mandrake Linux 8.2:
     862ccaea668653af1dd98d4f4cba388e 8.2/RPMS/openssh-3.6.1p2-1.2.82mdk.i586.rpm
     abb351c902abd9bcfc7eefd0d8e56b43 8.2/RPMS/openssh-askpass-3.6.1p2-1.2.82mdk.i586.rpm
     614a6bd4680be732689f5bd1e791a351 8.2/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.82mdk.i586.rpm
     baa534caf5c7121741a7089e11cd169e 8.2/RPMS/openssh-clients-3.6.1p2-1.2.82mdk.i586.rpm
     6f0b03ff0dd99857159177d3e797e916 8.2/RPMS/openssh-server-3.6.1p2-1.2.82mdk.i586.rpm
     d6fd51341f521dc7fc2086915dcaec20 8.2/SRPMS/openssh-3.6.1p2-1.2.82mdk.src.rpm

     Mandrake Linux 8.2/PPC:
     c453de5cac92707c112c9245663fd25c ppc/8.2/RPMS/openssh-3.6.1p2-1.2.82mdk.ppc.rpm
     48211a23e464b38ebd4e7deed7347f48 ppc/8.2/RPMS/openssh-askpass-3.6.1p2-1.2.82mdk.ppc.rpm
     77d27118abff6a1d6c0f57c167fefb52 ppc/8.2/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.82mdk.ppc.rpm
     b58b03854614f14c861f42121d165a2b ppc/8.2/RPMS/openssh-clients-3.6.1p2-1.2.82mdk.ppc.rpm
     9c477dda47eab7cad24839d0ea43e6a4 ppc/8.2/RPMS/openssh-server-3.6.1p2-1.2.82mdk.ppc.rpm
     d6fd51341f521dc7fc2086915dcaec20 ppc/8.2/SRPMS/openssh-3.6.1p2-1.2.82mdk.src.rpm

     Mandrake Linux 9.0:
     e4dd6a2be580feeceddb7bf702646992 9.0/RPMS/openssh-3.6.1p2-1.2.90mdk.i586.rpm
     b643425ed773606865f31797db73b6d5 9.0/RPMS/openssh-askpass-3.6.1p2-1.2.90mdk.i586.rpm
     bf403b678dd74c14c489bf5a32939e80 9.0/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.90mdk.i586.rpm
     c4ec1f56320d69a37455d4f74da30d2d 9.0/RPMS/openssh-clients-3.6.1p2-1.2.90mdk.i586.rpm
     0252fc0a7273c7c2ebbe4ae92fe492c6 9.0/RPMS/openssh-server-3.6.1p2-1.2.90mdk.i586.rpm
     8909a7349c3e18993784900e1c501dc8 9.0/SRPMS/openssh-3.6.1p2-1.2.90mdk.src.rpm

     Mandrake Linux 9.1:
     2f657dd739f51adad400b75e627db53a 9.1/RPMS/openssh-3.6.1p2-1.2.91mdk.i586.rpm
     2284741fdae6b3809b85f1f193dc9c7b 9.1/RPMS/openssh-askpass-3.6.1p2-1.2.91mdk.i586.rpm
     3462362cb6364701bfe536541f24d349 9.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.91mdk.i586.rpm
     5a8b2d3763dfc4dd77c7705401b4155e 9.1/RPMS/openssh-clients-3.6.1p2-1.2.91mdk.i586.rpm
     508f52a1bc06e57b5176c31dc7d1674b 9.1/RPMS/openssh-server-3.6.1p2-1.2.91mdk.i586.rpm
     4d9c124f212d3ad840bc19f6579784fc 9.1/SRPMS/openssh-3.6.1p2-1.2.91mdk.src.rpm

     Mandrake Linux 9.1/PPC:
     bf558d8fba0c8f779f73e8a3f75956d8 ppc/9.1/RPMS/openssh-3.6.1p2-1.2.91mdk.ppc.rpm
     ca0ff77a847d5485cf03e4abb1fc7a88 ppc/9.1/RPMS/openssh-askpass-3.6.1p2-1.2.91mdk.ppc.rpm
     4c45f30751958b8347713b818a55caf1 ppc/9.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.91mdk.ppc.rpm
     e7912e06b6bf2579badac32f583d8511 ppc/9.1/RPMS/openssh-clients-3.6.1p2-1.2.91mdk.ppc.rpm
     809424b2dd19bd2f654fdf4743fc5a8b ppc/9.1/RPMS/openssh-server-3.6.1p2-1.2.91mdk.ppc.rpm
     4d9c124f212d3ad840bc19f6579784fc ppc/9.1/SRPMS/openssh-3.6.1p2-1.2.91mdk.src.rpm

     Multi Network Firewall 8.2:
     862ccaea668653af1dd98d4f4cba388e mnf8.2/RPMS/openssh-3.6.1p2-1.2.82mdk.i586.rpm
     baa534caf5c7121741a7089e11cd169e mnf8.2/RPMS/openssh-clients-3.6.1p2-1.2.82mdk.i586.rpm
     6f0b03ff0dd99857159177d3e797e916 mnf8.2/RPMS/openssh-server-3.6.1p2-1.2.82mdk.i586.rpm
     d6fd51341f521dc7fc2086915dcaec20 mnf8.2/SRPMS/openssh-3.6.1p2-1.2.82mdk.src.rpm
    ________________________________________________________________________

    Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
    ________________________________________________________________________

    To upgrade automatically, use MandrakeUpdate or urpmi. The verification
    of md5 checksums and GPG signatures is performed automatically for you.

    A list of FTP mirrors can be obtained from:

      http://www.mandrakesecure.net/en/ftp.php

    All packages are signed by MandrakeSoft for security. You can obtain
    the GPG public key of the Mandrake Linux Security Team by executing:

      gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

    Please be aware that sometimes it takes the mirrors a few hours to
    update.

    You can view other update advisories for Mandrake Linux at:

      http://www.mandrakesecure.net/en/advisories/

    MandrakeSoft has several security-related mailing list services that
    anyone can subscribe to. Information on these lists can be obtained by
    visiting:

      http://www.mandrakesecure.net/en/mlist.php

    If you want to report vulnerabilities, please contact

      security_linux-mandrake.com

    Type Bits/KeyID Date User ID
    pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
      <security linux-mandrake.com>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQE/aIYrmqjQ0CJFipgRAkuzAKCZtNMVd9LqiR0CVbkz9XILvIB4hACeIlqv
    LB/u5JclV/2Ny+Cao90MLTc=
    =0Nsc
    -----END PGP SIGNATURE-----


  • Next message: Slackware Security Team: "[slackware-security] OpenSSH updated again (SSA:2003-260-01)"

    Relevant Pages