OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 06-Aug-2003 15:37:34
Branch: HEAD Handle: 2003080614373400
Modified files:
openpkg-web/security 00README OpenPKG-SA-2003.035-openssh.txt page.pl
Log:
finalize OpenSSH SA
Summary:
Revision Changes Path
1.8 +1 -1 openpkg-web/security/00README
1.2 +24 -14 openpkg-web/security/OpenPKG-SA-2003.035-openssh.txt
1.20 +1 -1 openpkg-web/security/page.pl
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/00README
============================================================================
$ cvs diff -u -r1.7 -r1.8 00README
--- openpkg-web/security/00README 15 Jan 2003 15:42:25 -0000 1.7
+++ openpkg-web/security/00README 6 Aug 2003 13:37:34 -0000 1.8
@@ -3,7 +3,7 @@
$ mv OpenPKG-SA-2003.00x-xxx.txt.asc OpenPKG-SA-2003.00x-xxx.txt
$ gpg --verify OpenPKG-SA-2003.00x-xxx.txt
$ mutt [EMAIL PROTECTED]
- Subject: [OpenPKG-SA-2003.00x] OpenPKG Security Advisory (xxx)
+ Subject: [OpenPKG-SA-2003.034] OpenPKG Security Advisory (imagemagick)
Approved: OPENPKG
$ mutt [EMAIL PROTECTED]
Subject: [OpenPKG-SA-2003.00x] OpenPKG Security Advisory (xxx)
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.035-openssh.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2003.035-openssh.txt
--- openpkg-web/security/OpenPKG-SA-2003.035-openssh.txt 6 Aug 2003 13:07:50
-0000 1.1
+++ openpkg-web/security/OpenPKG-SA-2003.035-openssh.txt 6 Aug 2003 13:37:34
-0000 1.2
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
@@ -12,26 +15,29 @@
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= openssh-3.6.1p1-20030423 >= openssh-3.6.1p2-20030429
-OpenPKG 1.3 N/A
+OpenPKG 1.3 none N.A.
OpenPKG 1.2 <= openssh-3.5p1-1.2.1 >= openssh-3.5p1-1.2.2
+Dependent Packages: none
+
Description:
- According to a Mediaservice.net security advisory [0], a information
- leakage exists in OpenSSH [1] 3.6.1p1 and earlier with PAM support
- enabled. When a user does not exist, an error message is send
- immediately which allows remote attackers to determine valid usernames
- via a timing attack. OpenPKG installations are only affected when the
- package was build '--with_pam yes', which is not the default. We could
- only reproduce the problem on Linux. It seems FreeBSD and Solaris are
+ According to a Mediaservice.net security advisory [0], an information
+ leakage exists in OpenSSH [1] 3.6.1p1 and earlier if PAM support
+ is enabled. When a user does not exists, an error message is sent
+ immediately (without any delays) which allows remote attackers to
+ determine valid usernames via a timing attack. OpenPKG installations
+ are only affected if the package was build with option "with_pam"
+ set to "yes" -- which is not the default. The Common Vulnerabilities
+ and Exposures (CVE) project assigned the id CAN-2003-0190 [2] to the
+ problem.
+
+ We could only reproduce the problem on Linux. FreeBSD and Solaris are
not vulnerable, the patch does not affect their behaviour. However,
the problem is related to the PAM configuration, not the operating
system. Using a non-default configuration might leak information on
other operating systems, too. On Linux systems, a valid workaround is
to add a "nodelay" option to the pam_unix.so auth.
- The Common Vulnerabilities and Exposures (CVE) project assigned the id
- CAN-2003-0190 [2] to the problem.
-
Please check whether you are affected by running "<prefix>/bin/rpm -q
openssh". If you have the "openssh" package installed and its version
is affected (see above), we recommend that you immediately upgrade it
@@ -55,9 +61,6 @@
$ <prefix>/bin/rpm --rebuild openssh-3.5p1-1.2.2.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/openssh-3.5p1-1.2.2.*.rpm
-
- Additionally, we recommend that you rebuild and reinstall
- all dependent packages (see above), if any, too. [3][4]
________________________________________________________________________
References:
@@ -78,3 +81,10 @@
for details on how to verify the integrity of this advisory.
________________________________________________________________________
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD8DBQE/MQR9gHWT4GPEy58RAiKkAKCpACytbxQN0ERLBbqNfmbZYYc59wCg6V33
+XFH1dFEVD0jBbdBvvdIdIZM=
+=GtfK
+-----END PGP SIGNATURE-----
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/page.pl
============================================================================
$ cvs diff -u -r1.19 -r1.20 page.pl
--- openpkg-web/security/page.pl 10 Jul 2003 14:53:26 -0000 1.19
+++ openpkg-web/security/page.pl 6 Aug 2003 13:37:34 -0000 1.20
@@ -13,7 +13,7 @@
foreach my $sa (reverse sort @SA) {
my ($base, $name, $year) = ($sa =~ m|^(OpenPKG-SA-((\d+)\..+))\.txt$|);
next if ($name =~ m|^0000|);
- next if ($name =~ m|^2003\.04[4-9]|);
+ next if ($name =~ m|^2003\.03[6-9]|);
if ($this_year ne $year) {
$sidebar .= "<br>\n";
$this_year = $year;
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
