Roman Drahtmueller wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > ______________________________________________________________________________ > > SuSE Security Announcement > > Package: openssh/ssh > Announcement-ID: SuSE-SA:2000:47 > Date: Friday, November 24th, 2000 16:30 MET > Affected SuSE versions: 6.4, 7.0 > Vulnerability Type: clientside remote vulnerability > Severity (1-10): 6 > SuSE default package: yes > Other affected systems: systems w/ openssh versions before 2.3.0 > > Content of this advisory: > 1) security vulnerability resolved: openssh > problem description, discussion, solution and upgrade information > 2) pending vulnerabilities, solutions, workarounds > 3) standard appendix (further information) > > ______________________________________________________________________________ > > 1) problem description, brief discussion, solution, upgrade information > > openssh is an implementation of the secure shell protocol, available under > the BSD license, primarily maintained by the OpenBSD Project. > > Many vulnerabilities have been found in the openssh package, along with > a compilation problem in the openssh and ssh packages in the SuSE-7.0 > distribution: An openssh client (the ssh program) can accept X11- or > ssh-agent forwarding requests even though these forwarding capabilities > have not been requested by the client side after successful authentication. > Using these weaknesses, an attacker could gain access to the > authentication agent which may hold multiple user-owned authentification > identities, or to the X-server on the client side as if requested by the > user. These problems have been found/reported by Markus Friedl > <[EMAIL PROTECTED]> and Jacob Langseth > <[EMAIL PROTECTED]>. > A problem in the configure script in both the openssh and ssh package > on the SuSE-7.0 distribution caused the sshd programs to not be linked > against the tcp-wrapper library. By consequence, access rules for the sshd > server-side service as configured in /etc/hosts.allow and /etc/hosts.deny > were ignored. This has been reported to us by Lutz Pressler <[EMAIL PROTECTED]>. > We thank these individuals for their contribution. > Sebastian Krahmer <[EMAIL PROTECTED]> found a small tmp file handling > problem in the perl script `make-ssh-known-hosts�. A (local) attacker > could trick the perl program to follow symbolic links and thereby > overwriting files with the privileges of the user calling > make-ssh-known-hosts. > > The solution for the first three problems (agent+X11-forwarding, missing > libwrap support) is an upgrade to a newer package. The tmp file problem > can be easily solved by hand. Please see the special install instructions > below. > > Note: Upon public request, we also provide update packages for the > SuSE-6.3 Intel distribution, even though the openssh packages > was not included in this distribution. > > special install instructions: > ===================================== > > To find out which package (ssh or openssh) you use, please use the command > `rpm -qf /usr/bin/ssh�. > __ > case openssh: > Please follow the instructions below to download and install > the update package. Afterwards, restart the sshd daemon: > `rcsshd restart�. > __ > case ssh: > before SuSE-7.0 (excluding 7.0): > In the file /usr/bin/make-ssh-known-hosts, please change the line > (around line 102) > > $private_ssh_known_hosts = "/tmp/ssh_known_hosts$$"; > to read > $private_ssh_known_hosts = "~/ssh_known_hosts$$"; > and you are done. > > SuSE-7.0: Please follow the instructions below to download > and install the update package. Afterwards, restart the sshd daemon: > `rcsshd restart� > > Please choose the update package(s) for your distribution from the URLs > listed below and download the necessary rpm files. Then, install the > package using the command `rpm -Uhv file.rpm�. rpm packages have an > internal md5 checksum that protects against file corruption. You can > verify this checksum using the command (independently from the md5 > signatures below) > `rpm --checksig --nogpg file.rpm', > The md5 sums under each package are to prove the package authenticity, > independently from the md5 checksums in the rpm package format. > > i386 Intel Platform: > > SuSE-7.0 > ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/openssh-2.3.0p1-0.i386.rpm > 3c7b9044ffb64f9f74c904eb2b278eb2 > source rpm: > ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm > aebcda19518208497671e752bbdfaeb8 > > SuSE-6.4 > ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/openssh-2.3.0p1-0.i386.rpm > 04c17b0eba99c798ae401fb9aafbc7e4 > source rpm: > ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm > 2003ab41cfa32ef39b11b4977ef4cd1f > > SuSE-6.3 > ftp://ftp.suse.de/pub/suse/i386/update/6.3/sec1/openssh-2.3.0p1-0.i386.rpm > 04c17b0eba99c798ae401fb9aafbc7e4 > source rpm: > ftp://ftp.suse.de/pub/suse/i386/update/6.3/zq1/openssh-2.3.0p1-0.src.rpm > 2003ab41cfa32ef39b11b4977ef4cd1f > > Sparc Platform: > > SuSE-7.0 > ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/openssh-2.3.0p1-0.sparc.rpm > 898aaaacee88777429496f1a5658076f > source rpm: > ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm > 97868b04de04a0baafcee69ebbbe6079 > > AXP Alpha Platform: > > SuSE-7.0 > ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/openssh-2.3.0p1-0.alpha.rpm > dd12c60b2744455780c976b115b26f27 > source rpm: > ftp://ftp.suse.de/pub/suse/axp/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm > 6df5af1a88fda4d8fc1a493e4d10bc01 > > SuSE-6.4 > ftp://ftp.suse.de/pub/suse/axp/update/6.4/sec1/openssh-2.3.0p1-0.alpha.rpm > 99de4bb6f183be1b69a610744f4566bc > source rpm: > ftp://ftp.suse.de/pub/suse/axp/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm > aa56e311205ba58478c815760452367e > > PPC Power PC Platform: > > SuSE-7.0 > ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/openssh-2.3.0p1-0.ppc.rpm > 72f7c339991e54a476585012423dda62 > source rpm: > ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm > 749ccc55396944ad43c1977e55903958 > > SuSE-6.4 > ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/openssh-2.3.0p1-0.ppc.rpm > 59727fa055e5d835bc4e455302b1ef49 > source rpm: > ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm > 7e42dbad4e50a2ad9156e94cf2a93955 > > ______________________________________________________________________________ > > 2) Pending vulnerabilities in SuSE Distributions and Workarounds: > > Clarification: > In my message (Subject: "SuSE: miscellaneous"), dated Wed, 15 Nov 2000, > concerning the paragraph about runtime linking problems in gs > (GhostScript) , I have stated that the problem will be fixed in future > versions of the SuSE distribution. This does not touch the fact that we > will of course provide fixes for the older distributions. > > - pine > > The packages (version 4.30) are on our ftp server and can be downloaded. > The SuSE security announcement is pending. > > - netscape > > Michal Zalewski <[EMAIL PROTECTED]> has reported a buffer overflow > in Netscape's html parser code. A specially crafted html document may > cause the browser to execute arbitrary code as the user calling the > netscape program. The packages are available for download on ftp.suse.com. > A security announcement is on the way to address the issue. > > - gs (ghostscript) > > Two vulnerabilities have been found in the ghostscript package as shipped > with SuSE distributions: Insecure temporary file handling and a linker > problem that could make gs runtime-link against ./libc.so.6. > We're currently working on update packages. In the meanwhile, it is > advised to not run gs or applications that call gs from within a world- > writeable directory. > > - jed > > The text editor jed saves files in /tmp upon emergency termination in an > insecure way. This problem was fixed with the release of SuSE-6.3 after > a SuSE-internal code audit by Thomas Biege <[EMAIL PROTECTED]>. The > information about the existence of this bug was not communicated to the > public because the editor was not very widely used at that time. > We will provide update packages for the SuSE releases 6.0, 6.1 and 6.2 > shortly. > ______________________________________________________________________________ > > 3) standard appendix: > > SuSE runs two security mailing lists to which any interested party may > subscribe: > > [EMAIL PROTECTED] > - general/linux/SuSE security discussion. > All SuSE security announcements are sent to this list. > To subscribe, send an email to > <[EMAIL PROTECTED]>. > > [EMAIL PROTECTED] > - SuSE's announce-only mailing list. > Only SuSE's security annoucements are sent to this list. > To subscribe, send an email to > <[EMAIL PROTECTED]>. > > For general information or the frequently asked questions (faq) > send mail to: > <[EMAIL PROTECTED]> or > <[EMAIL PROTECTED]> respectively. > > =============================================== > SuSE's security contact is <[EMAIL PROTECTED]>. > =============================================== > > Regards, > Roman Drahtm�ller. > - - -- > - - > | Roman Drahtm�ller <[EMAIL PROTECTED]> // "Caution: Cape does | > SuSE GmbH - Security Phone: // not enable user to fly." > | N�rnberg, Germany +49-911-740530 // (Batman Costume warning label) | > - - > ______________________________________________________________________________ > > The information in this advisory may be distributed or reproduced, > provided that the advisory is not modified in any way. > SuSE GmbH makes no warranties of any kind whatsoever with respect > to the information contained in this security advisory. > > Type Bits/KeyID Date User ID > pub 2048/3D25D3D9 1999/03/06 SuSE Security Team <[EMAIL PROTECTED]> > > - -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: 2.6.3i > > mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA > BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz > JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh > 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U > P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ > cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg > VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b > yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 > tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ > xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 > Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo > choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI > BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u > v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ > x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 > Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq > MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 > saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o > L0oixF12Cg== > =pIeS > - -----END PGP PUBLIC KEY BLOCK----- > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.3i > Charset: noconv > > iQEVAwUBOh6OSney5gA9JdPZAQFsKAf/Rn7V0D4N4nRRhWcYvvtNeIYfYsitOByR > 7W/Q1Mbh3WIjDehw+3enCZi9PBB5GnoMVyMRthaUH1+1zY5DT8q/bkpgvhW3pD+F > pP/ksNRwJte2mZNdd/7UUu/cS8ditCIRO65JGyttqdU6VhoGLFgXiZPE0YWcfyJj > VoCRR4Jv6peCodSZdfOe5DVZUTfZATdp8Fm1A5+0XAVwfgr3n/J/aoJgkRwWJ/Kr > szGp7Q9TeIOzKZJOHxwKnQ+c+8ge0F2h02WsI8cq6B8HMhVwYnV4rXU4E7CmYnzm > sn6lKj7qTykqajNi1zqPjGpUDNU7gH1L5zMXiiisgkacT9bavwF7lw== > =Uskv > -----END PGP SIGNATURE----- > > -- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] ---------------------------------------------- LIH is all for free speech. But it was created for a purpose. Violations of the rules of this list will result in stern action.
