OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 24-Sep-2003 13:28:49
Branch: HEAD Handle: 2003092412284900
Modified files:
openpkg-web/security 00README OpenPKG-SA-2003.042-openssh.txt page.pl
Log:
final polishing and signing of OpenSSH SA
Summary:
Revision Changes Path
1.12 +1 -1 openpkg-web/security/00README
1.2 +32 -24 openpkg-web/security/OpenPKG-SA-2003.042-openssh.txt
1.27 +1 -1 openpkg-web/security/page.pl
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/00README
============================================================================
$ cvs diff -u -r1.11 -r1.12 00README
--- openpkg-web/security/00README 16 Sep 2003 10:18:54 -0000 1.11
+++ openpkg-web/security/00README 24 Sep 2003 11:28:49 -0000 1.12
@@ -3,7 +3,7 @@
$ mv OpenPKG-SA-2003.00x-xxx.txt.asc OpenPKG-SA-2003.00x-xxx.txt
$ gpg --verify OpenPKG-SA-2003.00x-xxx.txt
$ mutt [EMAIL PROTECTED]
- Subject: [OpenPKG-SA-2003.039] OpenPKG Security Advisory (perl)
+ Subject: [OpenPKG-SA-2003.042] OpenPKG Security Advisory (openssh)
Approved: OPENPKG
$ mutt [EMAIL PROTECTED]
$ mutt [EMAIL PROTECTED]
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.042-openssh.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2003.042-openssh.txt
--- openpkg-web/security/OpenPKG-SA-2003.042-openssh.txt 24 Sep 2003 08:08:11
-0000 1.1
+++ openpkg-web/security/OpenPKG-SA-2003.042-openssh.txt 24 Sep 2003 11:28:49
-0000 1.2
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
@@ -12,27 +15,26 @@
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= openssh-3.7.1p1-20030917 >= openssh-3.7.1p2-20030923
-OpenPKG 1.3 N.A.
-OpenPKG 1.2 N.A.
+OpenPKG 1.3 none N.A.
+OpenPKG 1.2 none N.A.
Dependent Packages: none
Description:
- According to a Portable OpenSSH Security Advisory [0] versions 3.7p1
- and 3.7.1p1 of portable OpenSSH [1] contain multiple vulnerabilities
- in the new PAM code. At least one of these bugs is remotely
- exploitable with privsep disabled. Older versions of portable OpenSSH
- are not vulnerable. OpenPKG installations are only affected if the
- package was build with option "with_pam" set to "yes" -- which is not
- the default.
-
- The Common Vulnerabilities and Exposures (CVE) project assigned the
- id CAN-2003-0786 [2] to the problem where SSH1 PAM challenge response
- auth ignored the result of the authentication with privsep off.
-
- The Common Vulnerabilities and Exposures (CVE) project assigned the id
- CAN-2003-0787 [3] to the problem where the PAM conversation function
- trashed the stack.
+ According to a OpenSSH Security Advisory [0], versions 3.7p1 and
+ 3.7.1p1 of OpenSSH [1] contain multiple vulnerabilities in its
+ Pluggable Authentication Modules (PAM) related code. At least one
+ of these bugs is remotely exploitable if Privilege Separation is
+ disabled and PAM support is enabled. Older versions of OpenSSH are not
+ vulnerable. OpenPKG installations are only affected if the package was
+ built with option "with_pam" set to "yes" -- which is not the default.
+
+ The Common Vulnerabilities and Exposures (CVE) project assigned
+ the id CAN-2003-0786 [2] to the problem where SSH1 PAM challenge
+ response authentication ignored the result of the authentication with
+ Privilege Separation off. The Common Vulnerabilities and Exposures
+ (CVE) project assigned the id CAN-2003-0787 [3] to the problem where
+ the PAM conversation function trashed the stack.
Please check whether you are affected by running "<prefix>/bin/rpm -q
openssh". If you have the "openssh" package installed and its version
@@ -41,11 +43,11 @@
Solution:
Select the updated source RPM appropriate for OpenPKG CURRENT [6]
- fetch it from the OpenPKG FTP service [7] or a mirror location,
- build a corresponding binary RPM from it [4] and update your OpenPKG
- installation by applying the binary RPM [5]. Perform the following
- operations to permanently fix the security problem (for other releases
- adjust accordingly).
+ (or any later version), fetch it from the OpenPKG FTP service [7]
+ or a mirror location, build a corresponding binary RPM from it [4]
+ and update your OpenPKG installation by applying the binary RPM [5].
+ Perform the following operations to permanently fix the security
+ problem.
$ ftp ftp.openpkg.org
ftp> bin
@@ -65,8 +67,7 @@
[4] http://www.openpkg.org/tutorial.html#regular-source
[5] http://www.openpkg.org/tutorial.html#regular-binary
[6] ftp://ftp.openpkg.org/current/SRC/openssh-3.7.1p2-20030923.src.rpm
- [7] ftp://ftp.openpkg.org/current/SRC/openssh-3.7.1p2-20030923.src.rpm
- [FIXME] http://www.openpkg.org/security.html#signature
+ [7] ftp://ftp.openpkg.org/current/SRC/
________________________________________________________________________
For security reasons, this advisory was digitally signed with the
@@ -76,3 +77,10 @@
for details on how to verify the integrity of this advisory.
________________________________________________________________________
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD8DBQE/cX+AgHWT4GPEy58RAp3JAJ46cRQk51b2jBpvZZEswymlFQOT4gCguLGT
+JAo61VhgBMZZLPFoqOhET/A=
+=nd/0
+-----END PGP SIGNATURE-----
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/page.pl
============================================================================
$ cvs diff -u -r1.26 -r1.27 page.pl
--- openpkg-web/security/page.pl 19 Sep 2003 08:10:34 -0000 1.26
+++ openpkg-web/security/page.pl 24 Sep 2003 11:28:49 -0000 1.27
@@ -13,7 +13,7 @@
foreach my $sa (reverse sort @SA) {
my ($base, $name, $year) = ($sa =~ m|^(OpenPKG-SA-((\d+)\..+))\.txt$|);
next if ($name =~ m|^0000|);
- next if ($name =~ m|^2003\.04[2-9]|);
+ next if ($name =~ m|^2003\.04[4-9]|);
if ($this_year ne $year) {
$sidebar .= "<br>\n";
$this_year = $year;
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
