From bugzilla@REDHAT.COM Tue Mar 27 21:36:50 2001 From: bugzilla@REDHAT.COM To: BUGTRAQ@SECURITYFOCUS.COM Date: Tue, 27 Mar 2001 15:24:00 -0500 Subject: [BUGTRAQ] [RHSA-2001:033-04] Updated openssh packages available [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] --------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated openssh packages available Advisory ID: RHSA-2001:033-04 Issue date: 2001-03-23 Updated on: 2001-03-27 Product: Red Hat Linux Keywords: openssh passive analysis Cross references: Obsoletes: RHBA-2000-076 RHSA-2000-111 --------------------------------------------------------------------- 1. Topic: Updated openssh packages are now available for Red Hat Linux 7. These packages reduce the amount of information a passive attacker can deduce from observing an encrypted session. 2. Relevant releases/architectures: Red Hat Linux 7.0 - alpha, i386 3. Problem description: Weaknesses in the SSH protocols can be used by a passive attacker to deduce information about passwords entered over an encrypted connection. This information can be used to reduce the number of possible solutions which need to be tested to perform a brute-force attack. This reduces the amount of time and resources required to mount such an attack successfully. OpenSSH 2.5.1 and 2.5.2 include modifications which, while not completely resolving this problem, reduce the risks by changing certain server behaviors to make passive analysis more difficult. 4. Solution: To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directly *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 30293 - Where is sftp? 32977 - ssh unable to connect to certain servers using v2 6. RPMs required: Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/SRPMS/openssh-2.5.2p2-1.7.src.rpm alpha: ftp://updates.redhat.com/7.0/alpha/openssh-2.5.2p2-1.7.alpha.rpm ftp://updates.redhat.com/7.0/alpha/openssh-askpass-2.5.2p2-1.7.alpha.rpm ftp://updates.redhat.com/7.0/alpha/openssh-askpass-gnome-2.5.2p2-1.7.alpha.rpm ftp://updates.redhat.com/7.0/alpha/openssh-clients-2.5.2p2-1.7.alpha.rpm ftp://updates.redhat.com/7.0/alpha/openssh-server-2.5.2p2-1.7.alpha.rpm i386: ftp://updates.redhat.com/7.0/i386/openssh-2.5.2p2-1.7.i386.rpm ftp://updates.redhat.com/7.0/i386/openssh-askpass-2.5.2p2-1.7.i386.rpm ftp://updates.redhat.com/7.0/i386/openssh-askpass-gnome-2.5.2p2-1.7.i386.rpm ftp://updates.redhat.com/7.0/i386/openssh-clients-2.5.2p2-1.7.i386.rpm ftp://updates.redhat.com/7.0/i386/openssh-server-2.5.2p2-1.7.i386.rpm 7. Verification: MD5 sum Package Name -------------------------------------------------------------------------- 2249d15ecdca22482c03e8059dd8b31d 7.0/SRPMS/openssh-2.5.2p2-1.7.src.rpm 2c1705e525c6f07d611520374ddfe451 7.0/alpha/openssh-2.5.2p2-1.7.alpha.rpm da69ea875b494a81b91caa65bad4b3b0 7.0/alpha/openssh-askpass-2.5.2p2-1.7.alpha.rpm 52f445b91c77c4aa1e63624aaca56a2a 7.0/alpha/openssh-askpass-gnome-2.5.2p2-1.7.alpha.rpm 997f39e0755a36d7633e6ddbde8b5e5d 7.0/alpha/openssh-clients-2.5.2p2-1.7.alpha.rpm df2d8919c4c2ff8b0a57a4826c20e764 7.0/alpha/openssh-server-2.5.2p2-1.7.alpha.rpm 59fe7436fb6736b7948bfaec706c5628 7.0/i386/openssh-2.5.2p2-1.7.i386.rpm f80b1952bd5caf65d0e724a26b421635 7.0/i386/openssh-askpass-2.5.2p2-1.7.i386.rpm 04723384928efd09e4f96ef142409135 7.0/i386/openssh-askpass-gnome-2.5.2p2-1.7.i386.rpm 8e387b44bd433e71c1caecb899a680f4 7.0/i386/openssh-clients-2.5.2p2-1.7.i386.rpm 99a219f6c0708203f4982a4998b4e401 7.0/i386/openssh-server-2.5.2p2-1.7.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 8. References: http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=98525792903526&w=2 http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=98527416918430&w=2 Copyright(c) 2000, 2001 Red Hat, Inc.