From bugzilla@redhat.com Mon Aug 4 00:54:08 2003 From: bugzilla@redhat.com To: redhat-watch-list@redhat.com Cc: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com Date: Tue, 29 Jul 2003 13:14 -0400 Subject: [Full-Disclosure] [RHSA-2003:222-01] Updated openssh packages available [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated openssh packages available Advisory ID: RHSA-2003:222-01 Issue date: 2003-07-29 Updated on: 2003-07-29 Product: Red Hat Linux Keywords: openssh pam timing information leak Cross references: Obsoletes: RHSA-2002:127 CVE Names: CAN-2003-0190 - --------------------------------------------------------------------- 1. Topic: Updated OpenSSH packages are now available. These updates close an information leak caused by sshd's interaction with the PAM system. 2. Relevant releases/architectures: Red Hat Linux 7.1 - i386 Red Hat Linux 7.1 for iSeries (64 bit) - ppc Red Hat Linux 7.1 for pSeries (64 bit) - ppc Red Hat Linux 7.2 - i386, ia64 Red Hat Linux 7.3 - i386 Red Hat Linux 8.0 - i386 Red Hat Linux 9 - i386 3. Problem description: OpenSSH is a suite of network connectivity tools that can be used to establish encrypted connections between systems on a network and can provide interactive login sessions and port forwarding, among other functions. When configured to allow password-based or challenge-response authentication, sshd (the OpenSSH server) uses PAM (Pluggable Authentication Modules) to verify the user's password. Under certain conditions, OpenSSH versions prior to 3.6.1p1 reject an invalid authentication attempt without first attempting authentication using PAM. If PAM is configured with its default failure delay, the amount of time sshd takes to reject an invalid authentication request varies widely enough that the timing variations could be used to deduce whether or not an account with a specified name existed on the server. This information could then be used to narrow the focus of an attack against some other system component. These updates contain backported fixes that cause sshd to always attempt PAM authentication when performing password and challenge-response authentication for clients. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. RPMs required: Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/openssh-3.1p1-7.src.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/openssh-3.1p1-7.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/openssh-clients-3.1p1-7.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/openssh-server-3.1p1-7.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/openssh-askpass-3.1p1-7.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/openssh-askpass-gnome-3.1p1-7.i386.rpm Red Hat Linux 7.1 for iSeries (64 bit): SRPMS: ftp://updates.redhat.com/7.1/en/os/iSeries/SRPMS/openssh-3.1p1-7.src.rpm ppc: ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-3.1p1-7.ppc.rpm ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-clients-3.1p1-7.ppc.rpm ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-server-3.1p1-7.ppc.rpm ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-askpass-3.1p1-7.ppc.rpm ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-askpass-gnome-3.1p1-7.ppc.rpm Red Hat Linux 7.1 for pSeries (64 bit): SRPMS: ftp://updates.redhat.com/7.1/en/os/pSeries/SRPMS/openssh-3.1p1-7.src.rpm ppc: ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-3.1p1-7.ppc.rpm ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-clients-3.1p1-7.ppc.rpm ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-server-3.1p1-7.ppc.rpm ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-askpass-3.1p1-7.ppc.rpm ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-askpass-gnome-3.1p1-7.ppc.rpm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/openssh-3.1p1-8.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/openssh-3.1p1-8.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/openssh-clients-3.1p1-8.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/openssh-server-3.1p1-8.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/openssh-askpass-3.1p1-8.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/openssh-askpass-gnome-3.1p1-8.i386.rpm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/openssh-3.1p1-8.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/openssh-clients-3.1p1-8.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/openssh-server-3.1p1-8.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/openssh-askpass-3.1p1-8.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/openssh-askpass-gnome-3.1p1-8.ia64.rpm Red Hat Linux 7.3: SRPMS: ftp://updates.redhat.com/7.3/en/os/SRPMS/openssh-3.1p1-8.src.rpm i386: ftp://updates.redhat.com/7.3/en/os/i386/openssh-3.1p1-8.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/openssh-clients-3.1p1-8.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/openssh-server-3.1p1-8.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/openssh-askpass-3.1p1-8.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/openssh-askpass-gnome-3.1p1-8.i386.rpm Red Hat Linux 8.0: SRPMS: ftp://updates.redhat.com/8.0/en/os/SRPMS/openssh-3.4p1-4.src.rpm i386: ftp://updates.redhat.com/8.0/en/os/i386/openssh-3.4p1-4.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/openssh-clients-3.4p1-4.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/openssh-server-3.4p1-4.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/openssh-askpass-3.4p1-4.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/openssh-askpass-gnome-3.4p1-4.i386.rpm Red Hat Linux 9: SRPMS: ftp://updates.redhat.com/9/en/os/SRPMS/openssh-3.5p1-6.9.src.rpm i386: ftp://updates.redhat.com/9/en/os/i386/openssh-3.5p1-6.9.i386.rpm ftp://updates.redhat.com/9/en/os/i386/openssh-clients-3.5p1-6.9.i386.rpm ftp://updates.redhat.com/9/en/os/i386/openssh-server-3.5p1-6.9.i386.rpm ftp://updates.redhat.com/9/en/os/i386/openssh-askpass-3.5p1-6.9.i386.rpm ftp://updates.redhat.com/9/en/os/i386/openssh-askpass-gnome-3.5p1-6.9.i386.rpm 6. Verification: MD5 sum Package Name - -------------------------------------------------------------------------- bfbd152a2069230041ff1298b0562061 7.1/en/os/SRPMS/openssh-3.1p1-7.src.rpm 48c37500a4c7984673878edbef7e9cde 7.1/en/os/i386/openssh-3.1p1-7.i386.rpm 3f59bffd703bac24632f4e34e2beed22 7.1/en/os/i386/openssh-askpass-3.1p1-7.i386.rpm def478c5b3f97af908e3cb4d8306662b 7.1/en/os/i386/openssh-askpass-gnome-3.1p1-7.i386.rpm e9947146ea766572cbd9457f320a4f06 7.1/en/os/i386/openssh-clients-3.1p1-7.i386.rpm 879cbb50923935cebf20b39578dc8eed 7.1/en/os/i386/openssh-server-3.1p1-7.i386.rpm bfbd152a2069230041ff1298b0562061 7.1/en/os/iSeries/SRPMS/openssh-3.1p1-7.src.rpm 7c8aa13e79e6c856181852de76c86722 7.1/en/os/iSeries/ppc/openssh-3.1p1-7.ppc.rpm b1a591c23d345fd96f2d0fab2eb958be 7.1/en/os/iSeries/ppc/openssh-askpass-3.1p1-7.ppc.rpm ae6d48792fea701e75b114333babe37c 7.1/en/os/iSeries/ppc/openssh-askpass-gnome-3.1p1-7.ppc.rpm f7ee0ce5cefe22043828863da06ce331 7.1/en/os/iSeries/ppc/openssh-clients-3.1p1-7.ppc.rpm d9f993c8fa47ec3956f5e1e3c6f176d5 7.1/en/os/iSeries/ppc/openssh-server-3.1p1-7.ppc.rpm bfbd152a2069230041ff1298b0562061 7.1/en/os/pSeries/SRPMS/openssh-3.1p1-7.src.rpm 7c8aa13e79e6c856181852de76c86722 7.1/en/os/pSeries/ppc/openssh-3.1p1-7.ppc.rpm b1a591c23d345fd96f2d0fab2eb958be 7.1/en/os/pSeries/ppc/openssh-askpass-3.1p1-7.ppc.rpm ae6d48792fea701e75b114333babe37c 7.1/en/os/pSeries/ppc/openssh-askpass-gnome-3.1p1-7.ppc.rpm f7ee0ce5cefe22043828863da06ce331 7.1/en/os/pSeries/ppc/openssh-clients-3.1p1-7.ppc.rpm d9f993c8fa47ec3956f5e1e3c6f176d5 7.1/en/os/pSeries/ppc/openssh-server-3.1p1-7.ppc.rpm 22f17a835f12a4131a21487d5ee3dec6 7.2/en/os/SRPMS/openssh-3.1p1-8.src.rpm 013694ec0e839f077e7980d9cebfa277 7.2/en/os/i386/openssh-3.1p1-8.i386.rpm a942a051510a5a0aa34b0774d6eb8ee0 7.2/en/os/i386/openssh-askpass-3.1p1-8.i386.rpm de35a67fa21ec478aff57ce5c830f84e 7.2/en/os/i386/openssh-askpass-gnome-3.1p1-8.i386.rpm 8c9d37f46f76093eccea80571d687d46 7.2/en/os/i386/openssh-clients-3.1p1-8.i386.rpm 42ec08d8633862da9c988524fecdafbb 7.2/en/os/i386/openssh-server-3.1p1-8.i386.rpm d9441bbe925832b82766b8140fb4bb77 7.2/en/os/ia64/openssh-3.1p1-8.ia64.rpm 58765b526317e03dcf9371d9b225fa68 7.2/en/os/ia64/openssh-askpass-3.1p1-8.ia64.rpm 46b8de0e5072ff7ee614c7e5dfc536b9 7.2/en/os/ia64/openssh-askpass-gnome-3.1p1-8.ia64.rpm 1e95e8ca735b971bcb1a1824becaa582 7.2/en/os/ia64/openssh-clients-3.1p1-8.ia64.rpm 8ae51f6f0116f60fd29545b4f9560613 7.2/en/os/ia64/openssh-server-3.1p1-8.ia64.rpm 22f17a835f12a4131a21487d5ee3dec6 7.3/en/os/SRPMS/openssh-3.1p1-8.src.rpm 013694ec0e839f077e7980d9cebfa277 7.3/en/os/i386/openssh-3.1p1-8.i386.rpm a942a051510a5a0aa34b0774d6eb8ee0 7.3/en/os/i386/openssh-askpass-3.1p1-8.i386.rpm de35a67fa21ec478aff57ce5c830f84e 7.3/en/os/i386/openssh-askpass-gnome-3.1p1-8.i386.rpm 8c9d37f46f76093eccea80571d687d46 7.3/en/os/i386/openssh-clients-3.1p1-8.i386.rpm 42ec08d8633862da9c988524fecdafbb 7.3/en/os/i386/openssh-server-3.1p1-8.i386.rpm 81ed2140e12f15e4518fc2fe3aef10eb 8.0/en/os/SRPMS/openssh-3.4p1-4.src.rpm d625e5b2eca982b5b92ac0862eae1b73 8.0/en/os/i386/openssh-3.4p1-4.i386.rpm 34e91b60c3b5296c8e5185d5cf832013 8.0/en/os/i386/openssh-askpass-3.4p1-4.i386.rpm 536394cfe9c2b3068580269b346f6c1f 8.0/en/os/i386/openssh-askpass-gnome-3.4p1-4.i386.rpm ce583ee467532c9af9b9482cc90cd375 8.0/en/os/i386/openssh-clients-3.4p1-4.i386.rpm a81ee000ffc59c3f210fb4f08a02f2a7 8.0/en/os/i386/openssh-server-3.4p1-4.i386.rpm 321f50363605e1976cc19b7ceacf6d26 9/en/os/SRPMS/openssh-3.5p1-6.9.src.rpm 71613a13c1e40faa16f9a01fabf0e8b3 9/en/os/i386/openssh-3.5p1-6.9.i386.rpm 7b70f6b671b87385646d382115974724 9/en/os/i386/openssh-askpass-3.5p1-6.9.i386.rpm 9a8d60a683b055feba9855db74467fff 9/en/os/i386/openssh-askpass-gnome-3.5p1-6.9.i386.rpm 5c18b658c8bed7c434d8d9f142a95e7f 9/en/os/i386/openssh-clients-3.5p1-6.9.i386.rpm 3971445a5ee73f5c8b7fdc022b0432e8 9/en/os/i386/openssh-server-3.5p1-6.9.i386.rpm These packages are GPG signed by Red Hat for security. Our key is available from http://www.redhat.com/security/keys.html You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190 8. Contact: The Red Hat security contact is . More contact details at http://www.redhat.com/solutions/security/news/contact.html Copyright 2003 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD4DBQE/JqtfXlSAg2UNWIIRArN1AJj2J4983TGK0tX2JtuvVnRMan4PAJ9+aGuz eCjkS4HgrwVgCiekk+e+zg== =8jD6 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html