From mstone@pandora.debian.org Thu Nov 15 03:57:57 2001 From: Michael Stone Resent-From: debian-security-announce@lists.debian.org To: debian-security-announce@lists.debian.org Date: Tue, 13 Nov 2001 23:58:08 +0100 Reply-To: security@debian.org Subject: [SECURITY] [DSA 086-1] New versions of ssh-nonfree & ssh-socks fix buffer overflow -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------------- Debian Security Advisory DSA 086-1 security@debian.org http://www.debian.org/security/ Michael Stone November 13, 2001 - ---------------------------------------------------------------------------- Package: ssh-nonfree, ssh-socks Vulnerability: remote root exploit Debian-specific: no We have received reports that the "SSH CRC-32 compensation attack detector vulnerability" is being actively exploited. This is the same integer type error previously corrected for OpenSSH in DSA-027-1. OpenSSH (the Debian ssh package) was fixed at that time, but ssh-nonfree and ssh-socks were not. Though packages in the non-free section of the archive are not officially supported by the Debian project, we are taking the unusal step of releasing updated ssh-nonfree/ssh-socks packages for those users who have not yet migrated to OpenSSH. However, we do recommend that our users migrate to the regularly supported, DFSG-free "ssh" package as soon as possible. ssh 1.2.3-9.3 is the OpenSSH package available in Debian 2.2r4. The fixed ssh-nonfree/ssh-socks packages are available in version 1.2.27-6.2 for use with Debian 2.2 (potato) and version 1.2.27-8 for use with the Debian unstable/testing distribution. Note that the new ssh-nonfree/ssh-socks packages remove the setuid bit from the ssh binary, disabling rhosts-rsa authentication. If you need this functionality, run chmod u+s /usr/bin/ssh1 after installing the new package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - ------------------------------------ Source archives: http://security.debian.org/dists/potato/updates/non-free/source/ssh-nonfree_1.2.27-6.2.diff.gz MD5 checksum: 92161c3468189f17eb17421fd2e91f1e http://security.debian.org/dists/potato/updates/non-free/source/ssh-nonfree_1.2.27-6.2.dsc MD5 checksum: 8ba9a4c2d4059b973e6c46bb6ab88958 http://security.debian.org/dists/potato/updates/non-free/source/ssh-nonfree_1.2.27.orig.tar.gz MD5 checksum: c22bc000bee0f7d6f4845eab72a81395 Alpha architecture: http://security.debian.org/dists/potato/updates/non-free/binary-alpha/ssh-askpass-nonfree_1.2.27-6.2_alpha.deb MD5 checksum: 90996c54a25e41d743826648d4160f85 http://security.debian.org/dists/potato/updates/non-free/binary-alpha/ssh-nonfree_1.2.27-6.2_alpha.deb MD5 checksum: bd7a26a286ee8f21e17c943cacb085cc http://security.debian.org/dists/potato/updates/non-free/binary-alpha/ssh-socks_1.2.27-6.2_alpha.deb MD5 checksum: 4c979615edf37d2b980f1d5421f32933 ARM architecture: Not yet available Intel ia32 architecture: http://security.debian.org/dists/potato/updates/non-free/binary-i386/ssh-askpass-nonfree_1.2.27-6.2_i386.deb MD5 checksum: e43c6b7ad3a6cf71d07f528ad9adb34c http://security.debian.org/dists/potato/updates/non-free/binary-i386/ssh-nonfree_1.2.27-6.2_i386.deb MD5 checksum: e4f6db9acb54b9e3dc75315a66207840 http://security.debian.org/dists/potato/updates/non-free/binary-i386/ssh-socks_1.2.27-6.2_i386.deb MD5 checksum: 0eab3e6250c3aa4130ec5a2f719531e6 Motorola M680x0 architecture: http://security.debian.org/dists/potato/updates/non-free/binary-m68k/ssh-askpass-nonfree_1.2.27-6.2_m68k.deb MD5 checksum: 903221f1d6b2770aacafe5ec059199bc http://security.debian.org/dists/potato/updates/non-free/binary-m68k/ssh-nonfree_1.2.27-6.2_m68k.deb MD5 checksum: a491728bdd38a38a0ed9257eb7d8f610 http://security.debian.org/dists/potato/updates/non-free/binary-m68k/ssh-socks_1.2.27-6.2_m68k.deb MD5 checksum: 5c8b6771e7c287ba4794f41db771d879 PowerPC architecture: http://security.debian.org/dists/potato/updates/non-free/binary-powerpc/ssh-askpass-nonfree_1.2.27-6.2_powerpc.deb MD5 checksum: c0366ff3cb037054da92b597d3c48aee http://security.debian.org/dists/potato/updates/non-free/binary-powerpc/ssh-nonfree_1.2.27-6.2_powerpc.deb MD5 checksum: 64eb49a847c7e2c16463375948fb1903 http://security.debian.org/dists/potato/updates/non-free/binary-powerpc/ssh-socks_1.2.27-6.2_powerpc.deb MD5 checksum: 2b530b0590aa372c8c77cc8e80ed01e2 Sun Sparc architecture: http://security.debian.org/dists/potato/updates/non-free/binary-sparc/ssh-askpass-nonfree_1.2.27-6.2_sparc.deb MD5 checksum: 1a1844a143bcd2daae80a70005c74084 http://security.debian.org/dists/potato/updates/non-free/binary-sparc/ssh-nonfree_1.2.27-6.2_sparc.deb MD5 checksum: bfcc81152d02d6bc1f5a93018fe56835 http://security.debian.org/dists/potato/updates/non-free/binary-sparc/ssh-socks_1.2.27-6.2_sparc.deb MD5 checksum: 3d69332e3c134251439b64f4e379cb68 For not yet released architectures please refer to the appropriate directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ . - ---------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main non-free For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main ftp://security.debian.org/debian-security dists/stable/updates/non-free Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBO/GlWw0hVr09l8FJAQFulAQAx4JXhYUe+BKYd13N2SksCtQIdvjDkdUg JZiWMro18SEnAJ0uN998F1MplENSi//z3v73QmNMdXJk5Zv1M9qHnwgF+e+9NaRT ph/P8hD0mMc3R0GmWY2Ygh9aWHqWJKe412slqmXnQxXrZEGoGKN8n9mTSFUiyJa9 JZ29CD5QH6k= =lF48 -----END PGP SIGNATURE-----