SuSE Security Announcement: openssh/ssh (SuSE-SA:2000:47)
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: openssh/ssh
Announcement-ID: SuSE-SA:2000:47
Date: Friday, November 24th, 2000 16:30 MET
Affected SuSE versions: 6.4, 7.0
Vulnerability Type: clientside remote vulnerability
Severity (1-10): 6
SuSE default package: yes
Other affected systems: systems w/ openssh versions before 2.3.0
Content of this advisory:
1) security vulnerability resolved: openssh
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
openssh is an implementation of the secure shell protocol, available under
the BSD license, primarily maintained by the OpenBSD Project.
Many vulnerabilities have been found in the openssh package, along with
a compilation problem in the openssh and ssh packages in the SuSE-7.0
distribution: An openssh client (the ssh program) can accept X11- or
ssh-agent forwarding requests even though these forwarding capabilities
have not been requested by the client side after successful authentication.
Using these weaknesses, an attacker could gain access to the
authentication agent which may hold multiple user-owned authentification
identities, or to the X-server on the client side as if requested by the
user. These problems have been found/reported by Markus Friedl
__ case openssh: Please follow the instructions below to download and install the update package. Afterwards, restart the sshd daemon: `rcsshd restart´.
I have been notified of this error by many people (thank you!): The
symlink named rcsshd (pointing at /sbin/init.d/sshd) does not exist in the
openssh package. What a pity.
Please use `/sbin/init.d/sshd restart´ instead.
Roman.
--
- -
| Roman Drahtmüller
Hallo allerseits, worin besteht eigentlich der Unterschied zwischen ftp://ftp.suse.de/pub/suse/i386/update/7.0/ und ftp://ftp.suse.com/pub/suse/i386/update/7.0/ ? Die Inhalte dort unterscheiden sich ja deutlich. -- _, Regards, (_ ,_)ven Hansen. +-------------------------------------------------------+ | Sven Hansen Celo Communications GmbH | | Dipl.-Chem. Weissenfelser Strasse 46a | | Senior Software Engineer D-06217 Merseburg | | mailto:sh@celocom.de http://www.celocom.de | | Phone: +49 (0)3461/3318-24 Fax: +49 (0)3461/415072 | +-------------------------------------------------------+ Unix _IS_ user friendly - it's just selective about who its friends are !
Hi Sven, hi all, (SuSE-Security is an English list!) Sven Hansen wrote (in German):
Hello everyone,
what's actually the difference between ftp://ftp.suse.de/pub/suse/i386/update/7.0/ and ftp://ftp.suse.com/pub/suse/i386/update/7.0/ ? The content is significantly different.
Well the US site (ftp.suse.com) is the main distribution site for the packages, but since there exists -- still -- some re-export restrictions in the US, SuSE puts encryption packages on their German FTP server (and pays the higher ISP charges which we unfortunally have in Germany). Try ftp://ftp.gwdg.de/pub/linux/suse/ if you want to have both directories on one server. (This server is very up-to-date (at least for SuSE files) and is fast (well sometimes the bandwidth between it (DFN) and the outside world is slow). And SuSE mustn't pay the connection fees.) Tobias PS: I think it is not necessary to post to two list at the same time. Especially to a German and to an English list. Moreover this is not really a security question. -- This above all: To thine own self be true / And it must follow as the night the day / Thou canst not then be false to any man.
Hi all! Here my question: How should I proceed to update packages on my firewall? I have previously applied harden_suse YES, and now want to update to the new openssh package. But harden_suse has made some changes to /etc/ssh/sshd_config. As I see (since I've already updated the package ;-) the new configuration files /etc/ssh/ssh_config and /etc/ssh/shd_config both were saved as *.rpmnew. So my question is: how should I proceed to have the current configuration files AND have them also secured by harden_suse? Should I run /etc/undo_harden_suse and harden_suse YES again? Or is there a better way? Should I use these procedere when installing other updates too? (run /etc/undo_harden_suse && rpm -Fh package && harden_suse YES ?) Ok, sure, I could compare the new conf files with the older ones, but that's what I don't want to do! Thanks, rems -- Richard Ems ... e-mail: r.ems@gmx.net ... Fachbereich Informatik, Universität Hamburg Unix IS user friendly. It's just selective about who its friends are.
participants (4)
-
Richard Ems
-
Roman Drahtmueller
-
Sven Hansen
-
Tobias Burnus