SuSE Security Announcement: OpenSSH
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: openssh
Announcement-ID: SuSE-SA:2001:044
Date: Mon Dec 3 14:01:19 CET 2001
Affected SuSE versions: 6.4, 7.0, 7.1, 7.2, 7.3
Vulnerability Type: various bugs
Severity (1-10): 4
SuSE default package: yes
Other affected systems: All systems shipping OpenSSH <= 2.9.9
Content of this advisory:
1) security vulnerability resolved: Various problems in OpenSSH.
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The OpenSSH daemon shipped with SuSE distributions contains various minor
bugs which allows bypassing of IP-access control in some circumstances or
the deletion of files named "cookies" if X11 forwarding is enabled.
It has also been verified that the recent remotely exploitable crc32 bug as
well as the logging-bug has been fixed in our latest ssh packages.
We strongly recommend to update to OpenSSH version 2.9.9p2. Please download
and update the packages as described in section 3. Then invoke
/etc/rc.d/sshd restart
to restart the OpenSSH daemon.
If you are logged on via sshd, then it is adviseable to perform the update
in an atjob to make sure that it can be completed if your secure shell
daemon gets killed:
rpm -Uhv openssh-*.rpm
echo "rcsshd restart" | at now
Please note that OpenSSH 2.9.9p2 is *not*
vulnerable to the crc32/deattack exploit. Some people made wrong statements
about that recently and claimed they have found exploits for this version
"in the wild" which exploits the crc32 hole against this version.
This is wrong and you can safely ignore these discussions.
If you installed the ssh-1.2.27 package instead of the openssh package no
updates should be necessary as long as you recognized the SuSE Security
Announcement SuSE-SA:2001:04 which recommends to update to the latest
ssh-1.2.27 packages.
Due to legal constraints, the packages for the 7.0 and older
distributions containing cryptographic code can be found on ftp.suse.de,
not ftp.suse.com. The distribution 7.1 and newer have all of their
update packages on ftp.suse.com.
i386 Intel Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec1/openssh-2.9.9p2-38.i386.rpm
6ba603f1115b0125abf0b62f28ba6666
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/openssh-2.9.9p2-38.src.rpm
644d74829ecaa12c6a28cc9564bb0a1c
SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec1/openssh-2.9.9p2-25.i386.rpm
0b0406a63181bf23c683add3f6f9abc3
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/openssh-2.9.9p2-25.src.rpm
5914018a06e77f7477058afa8617ab10
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec1/openssh-2.9.9p2-26.i386.rpm
0d69dce8f61317c84efde55f6cc95f10
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/openssh-2.9.9p2-26.src.rpm
3aeba61d45d243773db8d1b7eedf6924
SuSE-7.0
ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/openssh-2.9.9p2-27.i386.rpm
2defc4cf8182b1e5eb4b204224007dd6
source rpm:
ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/openssh-2.9.9p2-27.src.rpm
1999c7c42507c1c4d831daf170e88c6e
SuSE-6.4
ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/openssh-2.9.9p2-27.i386.rpm
5fe6fdee55502e81b383b5b11047cee9
source rpm:
ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/openssh-2.9.9p2-27.src.rpm
cfee6bebb8086dc2d861aeb5fff6dc17
Sparc Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/sec1/openssh-2.9.9p2-8.sparc.rpm
8dcf46c82f11c35e8812d477caacd3b2
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/openssh-2.9.9p2-8.src.rpm
27ed16f77bcabd34919681fa07fcbd1c
SuSE-7.0
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/openssh-2.9.9p2-8.sparc.rpm
a23db0e0516a935cfce8a199a48ce036
source rpm:
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/openssh-2.9.9p2-8.src.rpm
e4c6c636fe7dd5e234d89dd28564611b
AXP Alpha Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/axp/update/7.1/sec1/openssh-2.9.9p2-5.alpha.rpm
b0e29b53f247c7a8ba6d17297867730e
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/openssh-2.9.9p2-5.src.rpm
73a832a3b10876d751203aca7fd37607
SuSE-7.0
ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/openssh-2.9.9p2-6.alpha.rpm
5e07df7ce670e3918f0948495d74e23c
source rpm:
ftp://ftp.suse.de/pub/suse/axp/update/7.0/zq1/openssh-2.9.9p2-6.src.rpm
3a26418017f5af49ba707e51fa28d954
SuSE-6.4
ftp://ftp.suse.de/pub/suse/axp/update/6.4/sec1/openssh-2.9.9p2-6.alpha.rpm
c2e7364a00aef31a9d121302d316ce4f
source rpm:
ftp://ftp.suse.de/pub/suse/axp/update/6.4/zq1/openssh-2.9.9p2-6.src.rpm
d3a9299f748395912644c375e24302f7
Power PC Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec1/openssh-2.9.9p2-23.ppc.rpm
bdab314f57128accaa4855a8aedf23df
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/openssh-2.9.9p2-23.src.rpm
840bde44f9b372e637a7bdcf3b11a87e
SuSE-7.1
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/sec1/openssh-2.9.9p2-25.ppc.rpm
d3b5f2b85ce6cf9e30a0826127f5b6e4
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/openssh-2.9.9p2-25.src.rpm
888e553f06f96ddd7395ad4c241e0b69
SuSE-7.0
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/openssh-2.9.9p2-18.ppc.rpm
34eee0c543d2cf266d084d7262475573
source rpm:
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/openssh-2.9.9p2-18.src.rpm
c33d2e38303853e9363ee0beb9889b43
SuSE-6.4
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/openssh-2.9.9p2-17.ppc.rpm
4d00f9e0a85631c3e2dd721ca0784f27
source rpm:
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/openssh-2.9.9p2-17.src.rpm
685e7c8f85117384ea1205b683593b47
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
No additional information in this announcement.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum
Hi!
SuSE Security Announcement
Package: openssh Announcement-ID: SuSE-SA:2001:044 Date: Mon Dec 3 14:01:19 CET 2001 Affected SuSE versions: 6.4, 7.0, 7.1, 7.2, 7.3 Vulnerability Type: various bugs Severity (1-10): 4 SuSE default package: yes Other affected systems: All systems shipping OpenSSH <= 2.9.9
One question: why don't you mention SuSE 6.3 here? I'm not quite sure wether openssh was part of the original distribution (I'd have to dig out the CDs and check), but you certainly *did* provide openssh packages for 6.3 via the FTP server. And since your support for 6.3 isn't discontinued until next monday ;-), you *should* provide an update for 6.3 as well... (I guess one can simply use the 6.4 packages since the 6.3 update directory on ftp.suse.de is just a symlink to 6.4 - right?) Martin
One question: why don't you mention SuSE 6.3 here?
I'm not quite sure wether openssh was part of the original distribution (I'd have to dig out the CDs and check), but you certainly *did* provide openssh packages for 6.3 via the FTP server.
Yes, we did. openssh was not on the original distribution, and the packages we have provided were broken.
And since your support for 6.3 isn't discontinued until next monday ;-), you *should* provide an update for 6.3 as well...
We know. But is is a hassle to make openssh work flawlessly on a 6.3, this is why we better did not support openssh on 6.3 any more and removed the package.
(I guess one can simply use the 6.4 packages since the 6.3 update directory on ftp.suse.de is just a symlink to 6.4 - right?)
It's worth a try, yes. If not, please upgrade to a newer distribution, or use the ssh package (which works very fine on 6.3). Just make sure you have all updates installed.
Martin
Thanks,
Roman.
--
- -
| Roman Drahtmüller
Yes, we did. openssh was not on the original distribution, and the packages we have provided were broken. I installed openssh 2.3.0p1, built on Nov 20 on Langmuir.suse.de a few days ago. Is this package broken? what is broken? I know, that 6.3 is fairly old and I'll have to upgrade, but can't do it now. Roman. thank you, Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
Yes, we did. openssh was not on the original distribution, and the packages we have provided were broken. I installed openssh 2.3.0p1, built on Nov 20 on Langmuir.suse.de a few days ago. Is this package broken? what is broken? I know, that 6.3 is fairly old and I'll have to upgrade, but can't do it now.
As long as it (the 2.9.9 version) works, you are fine. Sebastian stated in the announcement that the solution is an upgrade to 2.9.9p2, so I don't actually know what you are doing with the 2.3.0 version.
Roman. thank you, Markus
Grüße,
Roman.
--
- -
| Roman Drahtmüller
I installed openssh 2.3.0p1, built on Nov 20 on Langmuir.suse.de a few days ago. Is this package broken? what is broken? I know, that 6.3 is fairly old and I'll have to upgrade, but can't do it now. As long as it (the 2.9.9 version) works, you are fine. I don't remember where I got the 2.3.0p1 version from, but it is definitely a SuSE version (according to the build host) I shouldn't do package upgrades before 8 in the morning ;)
thank you Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
Hello Roman
Sebastian stated in the announcement that the solution is an upgrade to 2.9.9p2, so I don't actually know what you are doing with the 2.3.0 version.
There was a security announcement of you one year ago. Package: openssh/ssh Announcement-ID: SuSE-SA:2000:47 Date: Friday, November 24th, 2000 16:30 MET Affected SuSE versions: 6.4, 7.0 ..... SuSE-7.0 ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/openssh-2.3.0p1-0.i386.rpm 3c7b9044ffb64f9f74c904eb2b278eb2 I think this is the reason. Guido
On Mon, 3 Dec 2001, Sebastian Krahmer wrote:
SuSE Security Announcement
Package: openssh Announcement-ID: SuSE-SA:2001:044 Date: Mon Dec 3 14:01:19 CET 2001 Affected SuSE versions: 6.4, 7.0, 7.1, 7.2, 7.3
...
If you are logged on via sshd, then it is adviseable to perform the update in an atjob to make sure that it can be completed if your secure shell daemon gets killed:
rpm -Uhv openssh-*.rpm echo "rcsshd restart" | at now
I just noticed that the second line does *not* work with SuSE 7.0 - the "master" daemon gets killed, but it isn't restarted as long as there are still child ssh processes running; if you log out now, you can no longer log into the remote box - until somebody reboots it or restarts sshd manually! (The procedure works fine with SuSE 7.2, though - I guess the start/stop script needs an update; I suspect 6.4 will have the same problem...) A simple workaround: type echo "rcsshd restart" | at now + 2 minutes and immediatley log out from *all* ssh sessions - after 2 minutes all should be well again... Martin
participants (5)
-
Guido Schimanke
-
Markus Gaugusch
-
Martin Köhling
-
Roman Drahtmueller
-
Sebastian Krahmer