From openpkg@openpkg.org Thu Sep 25 04:25:24 2003 From: OpenPKG To: full-disclosure@lists.netsys.com Date: Wed, 24 Sep 2003 13:28:32 +0200 Subject: [Full-Disclosure] [OpenPKG-SA-2003.042] OpenPKG Security Advisory (openssh) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.042 24-Sep-2003 ________________________________________________________________________ Package: openssh Vulnerability: remote root exploit OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= openssh-3.7.1p1-20030917 >= openssh-3.7.1p2-20030923 OpenPKG 1.3 none N.A. OpenPKG 1.2 none N.A. Dependent Packages: none Description: According to a OpenSSH Security Advisory [0], versions 3.7p1 and 3.7.1p1 of OpenSSH [1] contain multiple vulnerabilities in its Pluggable Authentication Modules (PAM) related code. At least one of these bugs is remotely exploitable if Privilege Separation is disabled and PAM support is enabled. Older versions of OpenSSH are not vulnerable. OpenPKG installations are only affected if the package was built with option "with_pam" set to "yes" -- which is not the default. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0786 [2] to the problem where SSH1 PAM challenge response authentication ignored the result of the authentication with Privilege Separation off. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0787 [3] to the problem where the PAM conversation function trashed the stack. Please check whether you are affected by running "/bin/rpm -q openssh". If you have the "openssh" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [4][5] Solution: Select the updated source RPM appropriate for OpenPKG CURRENT [6] (or any later version), fetch it from the OpenPKG FTP service [7] or a mirror location, build a corresponding binary RPM from it [4] and update your OpenPKG installation by applying the binary RPM [5]. Perform the following operations to permanently fix the security problem. $ ftp ftp.openpkg.org ftp> bin ftp> cd current/SRC ftp> get openssh-3.7.1p2-20030923.src.rpm ftp> bye $ /bin/rpm --rebuild openssh-3.7.1p2-20030923.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/openssh-3.7.1p2-20030923.*.rpm ________________________________________________________________________ References: [0] http://www.openssh.com/txt/sshpam.adv [1] http://www.openssh.com/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0786 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0787 [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/current/SRC/openssh-3.7.1p2-20030923.src.rpm [7] ftp://ftp.openpkg.org/current/SRC/ ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/cX+AgHWT4GPEy58RAp3JAJ46cRQk51b2jBpvZZEswymlFQOT4gCguLGT JAo61VhgBMZZLPFoqOhET/A= =nd/0 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html