From security@caldera.com Thu May 16 02:49:06 2002 From: security@caldera.com To: bugtraq@securityfocus.com, announce@lists.caldera.com, security-alerts@linuxsecurity.com Date: Wed, 15 May 2002 16:53:33 -0700 Subject: Security Update: [CSSA-2002-022.0] Linux: OpenSSH ticket and token passing buffer overflow To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Linux: OpenSSH ticket and token passing buffer overflow Advisory number: CSSA-2002-022.0 Issue date: 2002 May 15 Cross reference: ______________________________________________________________________________ 1. Problem Description A buffer overflow exists in OpenSSH if KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. A malicious user, possibly remote, could use this vulnerability to gain privileged access to the system. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to openssh-2.9p2-6.i386.rpm prior to openssh-askpass-2.9p2-6.i386.rpm prior to openssh-server-2.9p2-6.i386.rpm OpenLinux 3.1.1 Workstation prior to openssh-2.9p2-6.i386.rpm prior to openssh-askpass-2.9p2-6.i386.rpm OpenLinux 3.1 Server prior to openssh-2.9p2-6.i386.rpm prior to openssh-askpass-2.9p2-6.i386.rpm prior to openssh-server-2.9p2-6.i386.rpm OpenLinux 3.1 Workstation prior to openssh-2.9p2-6.i386.rpm prior to openssh-askpass-2.9p2-6.i386.rpm 3. Solution The proper solution is to install the latest packages. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS 4.2 Packages f9a494af5e0e6a8eec419f8f94087f7e openssh-2.9p2-6.i386.rpm b9fcc6352bc4c65f63cda1b0caa2b89c openssh-askpass-2.9p2-6.i386.rpm ff4a5bc7e7b1d4fd3f79c647d11d9162 openssh-server-2.9p2-6.i386.rpm 4.3 Installation rpm -Fvh openssh-2.9p2-6.i386.rpm rpm -Fvh openssh-askpass-2.9p2-6.i386.rpm rpm -Fvh openssh-server-2.9p2-6.i386.rpm 4.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS 4.5 Source Packages ab3e90f4e70fc3eecd7e456fa2c2a97e openssh-2.9p2-6.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS 5.2 Packages 3406e8a3e55b52b2eb3e7644327d783c openssh-2.9p2-6.i386.rpm e57817246b56ffdf0322be8afcec08ae openssh-askpass-2.9p2-6.i386.rpm 5.3 Installation rpm -Fvh openssh-2.9p2-6.i386.rpm rpm -Fvh openssh-askpass-2.9p2-6.i386.rpm 5.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS 5.5 Source Packages fde335f6bce93b3a3bf3cc20d8231849 openssh-2.9p2-6.src.rpm 6. OpenLinux 3.1 Server 6.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS 6.2 Packages 41f489ad60ed068a2a027589ca49e6ea openssh-2.9p2-6.i386.rpm c4b8c1e011708a9e8fa04d927387bde5 openssh-askpass-2.9p2-6.i386.rpm 3bbb580c64ba83efaeefac20d891148f openssh-server-2.9p2-6.i386.rpm 6.3 Installation rpm -Fvh openssh-2.9p2-6.i386.rpm rpm -Fvh openssh-askpass-2.9p2-6.i386.rpm rpm -Fvh openssh-server-2.9p2-6.i386.rpm 6.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS 6.5 Source Packages 1c30685cf106f5ee05ec201cd55044f8 openssh-2.9p2-6.src.rpm 7. OpenLinux 3.1 Workstation 7.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS 7.2 Packages 45502ddfa3d9bc67eefc2ec6a6bd992a openssh-2.9p2-6.i386.rpm c5bedc4946ee432f66255161ba61bbf5 openssh-askpass-2.9p2-6.i386.rpm 7.3 Installation rpm -Fvh openssh-2.9p2-6.i386.rpm rpm -Fvh openssh-askpass-2.9p2-6.i386.rpm 7.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS 7.5 Source Packages 5ddea2209f395da08ca715a128e5485a openssh-2.9p2-6.src.rpm 8. References Specific references for this advisory: none Caldera OpenLinux security resources: http://www.caldera.com/support/security/index.html Caldera UNIX security resources: http://stage.caldera.com/support/security/ This security fix closes Caldera incidents sr863642, fz520794 and erg712034. 9. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera products. 10. Acknowledgements Marcell Fodor discovered and researched this vulnerability. ______________________________________________________________________________ [Part 2, Application/PGP-SIGNATURE 245bytes] [Unable to print this part]