[security] CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENSSH 

----------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
----------------------------------------------------------------------

PACKAGE: openssh
SUMMARY                     : "UseLogin" option allows remote execution
                              of commands as root
DATE                        : 2000-06-10
AFFECTED CONECTIVA VERSIONS : 5.0

----------------------------------------------------------------------


DESCRIPTION
Openssh's default installation doesn't have this problem.
If the "UseLogin" option is used, then the ssh server won't drop
its root privileges, instead relying on the login program to do
so. But if the user specifies a command to be executed during the
ssh session, the login program won't be used and the program will
be run with full root privileges.


SOLUTION
Users with the "UseLogin" option set to "no" in /etc/ssh/sshd_config
are not vulnerable. If, however, this option is needed, then openssh
MUST be upgraded IMMEDIATELY.
Updated packages for openssl are also provided to satisfy openssh's
dependencies.


DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-askpass-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-askpass-gnome-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-clients-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-server-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssl-0.9.5a-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssl-devel-0.9.5a-1cl.i386.rpm


DIRECT LINK TO THE SOURCE PACKAGE
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/openssh-2.1.1p1-1cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/openssl-0.9.5a-1cl.src.rpm


----------------------------------------------------------------------

All packages are signed with Conectiva's PGP key. The key can be obtained at
http://www.conectiva.com.br/conectiva/contato.html


----------------------------------------------------------------------
subscribe: [EMAIL PROTECTED]
unsubscribe: [EMAIL PROTECTED]


--------------------------------------------------------------------------
Utk berhenti langganan, kirim email ke [EMAIL PROTECTED]
Informasi arsip di http://www.linux.or.id/milis.php3
Pengelola dapat dihubungi lewat [EMAIL PROTECTED]

Kirim email ke