CRITICAL! OpenSSH exploit in the wild
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010116.html Waiting for SuSE to issue a patch, I did this, on all my machines with a public IP: at 9:00 /etc/init.d/sshd restart [Ctrl+D] /etc/init.d/sshd stop So, no sshd over the night, until tomorrow when I'm back at the computer.
Christopher Mahmood wrote:
* Silviu Marin-Caea (silviu@genesys.ro) [030916 10:00]:
Waiting for SuSE to issue a patch
The fixed package has been submitted, once it has been tested the announcement will go out.
I wasn't implying that it's a long wait or anything, really. Such a patch, if it's not perfect could leave remote machines "stranded", so it has to be well tested. SuSE was fast in releasing it, thank you for the good job.
OK, I did the update both on my workstation and on a remote machine that I take care of. Now, I did /etc/init.d/sshd restart on the remote machine. I expected to loose my connection to it, but surprisingly I didn't. How do I know the new version is running? doing ssh -V only gives me: hans@ossewa:~> ssh -V OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090609f hans@ossewa:~> not specifically which update. How do I know it is actually the new binary running? Just curious Thanks Hans
OK, I did the update both on my workstation and on a remote machine that I take care of.
Now, I did
/etc/init.d/sshd restart
on the remote machine. I expected to loose my connection to it, but surprisingly I didn't.
How do I know the new version is running?
doing ssh -V only gives me:
hans@ossewa:~> ssh -V OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090609f hans@ossewa:~>
not specifically which update. How do I know it is actually the new binary running?
Just curious Thanks Hans
Where would one find the patch for Suse 8.1?
* Jim Norton (jrn@oregonhanggliding.com) [030916 17:24]:
Where would one find the patch for Suse 8.1?
SuSE-8.1: Full rpm: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssh-3.4p1-214.i586.rpm Patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssh-3.4p1-214.i586.patch.rpm Source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/openssh-3.4p1-214.src.rpm -- Ben Rosenberg ---===---===---===--- mailto:ben@whack.org ----- If two men agree on everything, you can be sure that only one of them is doing the thinking.
* Jim Norton (jrn@oregonhanggliding.com) [030916 17:24]:
Where would one find the patch for Suse 8.1?
SuSE-8.1:
Full rpm:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssh-3.4p1-214.i586.rpm
Patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssh-3.4p1-214.i586.patch.rpm
Source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/openssh-3.4p1-214.src.rpm
Hey thanks Ben!
On Wed, 17 Sep 2003 10:52 am, Ben Rosenberg wrote:
SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssh-3.4p1-214.i586.rpm ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssh-3.4p1-214.i586.patch.rpm ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/openssh-3.4p1-214.src.rpm
Suse 8.2 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssh-3.5p1-106.i586.rpm ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssh-3.5p1-106.i586.patch.rpm ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/openssh-3.5p1-106.src.rpm Note also that openssh-askpass has a new version: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssh-askpass-3.5p1-106.i586.rpm Looking at the changelog: # rpm -q --changelog openssh-3.5p1-106 * Tue Sep 16 2003 - postadal@suse.cz - fixed race condition in allocating memory [#31025] (CAN-2003-0693) - disabled privilege separation, which caused some problems [#30328] * Thu Sep 04 2003 - postadal@suse.cz The number mentioned (CAN-2003-0693) is the bug number in the alert. Could somebody closer to the source confirm that these patches do cover the problem detailed in: http://www.openssh.com/txt/buffer.adv michaelj -- Michael James michael.james@csiro.au System Administrator voice: 02 6246 5040 CSIRO Bioinformatics Facility fax: 02 6246 5166
SuSE-7.3? On Wed, 17 Sep 2003 Michael.James@csiro.au wrote:
On Wed, 17 Sep 2003 10:52 am, Ben Rosenberg wrote:
SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssh-3.4p1-214.i586.rpm ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssh-3.4p1-214.i586.patch.rpm ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/openssh-3.4p1-214.src.rpm
Suse 8.2 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssh-3.5p1-106.i586.rpm ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssh-3.5p1-106.i586.patch.rpm ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/openssh-3.5p1-106.src.rpm
Note also that openssh-askpass has a new version: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssh-askpass-3.5p1-106.i586.rpm
Looking at the changelog: # rpm -q --changelog openssh-3.5p1-106 * Tue Sep 16 2003 - postadal@suse.cz
- fixed race condition in allocating memory [#31025] (CAN-2003-0693) - disabled privilege separation, which caused some problems [#30328]
* Thu Sep 04 2003 - postadal@suse.cz
The number mentioned (CAN-2003-0693) is the bug number in the alert.
Could somebody closer to the source confirm that these patches do cover the problem detailed in:
http://www.openssh.com/txt/buffer.adv
michaelj
-- Michael James michael.james@csiro.au System Administrator voice: 02 6246 5040 CSIRO Bioinformatics Facility fax: 02 6246 5166
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
* Henry Tang <henry@yucreation.com> (Wed, Sep 17, 2003 at 01:07:45PM -0700)
SuSE-7.3?
there's an openssh-2.9.9.rpm in a similar location 7.3/rpm/i386/sec1/openssh.rpm IIRC Kind regards, -- Gerhard den Hollander Phone :+31-10.280.1515 ICT manager Direct:+31-10.280.1539 Jason Geosystems BV Fax :+31-10.280.1511 gdenhollander@Fugro-Jason.com POBox 1573 visit us at http://www.Fugro-Jason.com 3000 BN Rotterdam JASON.......#1 in Reservoir Characterization The Netherlands This e-mail and any attachment is/are intended solely for the named addressee(s) and may contain information that is confidential and privileged.
* Gerhard den Hollander (gerhard@fugro-jason.com) [030917 12:45]:
* Henry Tang <henry@yucreation.com> (Wed, Sep 17, 2003 at 01:07:45PM -0700)
SuSE-7.3?
there's an openssh-2.9.9.rpm in a similar location 7.3/rpm/i386/sec1/openssh.rpm IIRC
FYI. Look at the build and date of the OpenSSH RPM for 7.3 to determine if it's the patched version. SuSE doesn't update version numbers, but instead patchs existing version numbers as not to break anything that their pkgs depend on. You may know this. But I figured I'd say it for the benefit of those who don't. :) -- Ben Rosenberg ---===---===---===--- mailto:ben@whack.org ----- If two men agree on everything, you can be sure that only one of them is doing the thinking.
On Wednesday 17 September 2003 03:59 pm, Ben Rosenberg wrote:
* Gerhard den Hollander (gerhard@fugro-jason.com) [030917 12:45]:
* Henry Tang <henry@yucreation.com> (Wed, Sep 17, 2003 at 01:07:45PM -0700)
SuSE-7.3?
there's an openssh-2.9.9.rpm in a similar location 7.3/rpm/i386/sec1/openssh.rpm IIRC
FYI. Look at the build and date of the OpenSSH RPM for 7.3 to determine if it's the patched version. SuSE doesn't update version numbers, but instead patchs existing version numbers as not to break anything that their pkgs depend on. You may know this. But I figured I'd say it for the benefit of those who don't. :)
-- Ben Rosenberg ---===---===---===--- mailto:ben@whack.org -----
Continuing with this subject, will there be further OpenSSH updates from SuSE as there were from the other distros. I understand that OpenBSD, Debian and others release two more serious bug fixes today, but I haven't heard anything from SuSE yet. Anyone got more news on this? Lee -- --- KMail v1.5.3-3 --- SuSE Linux Pro v8.2 --- Registered Linux User #225206 On any other day, that might seem strange...
* BandiPat (penguin0601@earthlink.net) [030917 19:17]:
Continuing with this subject, will there be further OpenSSH updates from SuSE as there were from the other distros. I understand that OpenBSD, Debian and others release two more serious bug fixes today, but I haven't heard anything from SuSE yet.
Anyone got more news on this?
Well, according to what I've heard. The 3.7 release didn't fix the issue..the screwed it up. So instead of just saying " we f**ked up " and releasing a 3.7a version..they did 3.7.1. I would assume since SuSE has patched the 3.5p1 source themselves that since we do not have yet another build of 3.5 then SuSE got it right the first time. :) I wouldn't not check for updates but unless it's announced that their patch didn't work. I would think SuSE's pkg is good. Number versions are sometimes a sticky situation with SuSE...as I mentioned above. It does take some getting use to. -- Ben Rosenberg ---===---===---===--- mailto:ben@whack.org ----- If two men agree on everything, you can be sure that only one of them is doing the thinking.
On Wednesday 17 September 2003 11:10 pm, Ben Rosenberg wrote:
* BandiPat (penguin0601@earthlink.net) [030917 19:17]:
Continuing with this subject, will there be further OpenSSH updates from SuSE as there were from the other distros. I understand that OpenBSD, Debian and others release two more serious bug fixes today, but I haven't heard anything from SuSE yet.
Anyone got more news on this?
Well, according to what I've heard. The 3.7 release didn't fix the issue..the screwed it up. So instead of just saying " we f**ked up " and releasing a 3.7a version..they did 3.7.1. I would assume since SuSE has patched the 3.5p1 source themselves that since we do not have yet another build of 3.5 then SuSE got it right the first time. :)
I wouldn't not check for updates but unless it's announced that their patch didn't work. I would think SuSE's pkg is good. Number versions are sometimes a sticky situation with SuSE...as I mentioned above. It does take some getting use to.
-- Ben Rosenberg ---===---===---===--- mailto:ben@whack.org -----
Thanks Ben, those were my thoughts as well. Version numbers are just that, numbers and seldom reflects that state one's programs are in these days. I think I quit wondering about those about a year after I started using Linux. ;o) As I remember some of the SuSE guys mentioning they would not release the patch until tested, I'm sure SuSE will alert us to any other fixes that need to be done. Regards, Lee -- --- KMail v1.5.3-3 --- SuSE Linux Pro v8.2 --- Registered Linux User #225206 On any other day, that might seem strange...
On Thu, 2003-09-18 at 05:10, Ben Rosenberg wrote:
I wouldn't not check for updates but unless it's announced that their patch didn't work. I would think SuSE's pkg is good. Number versions are sometimes a sticky situation with SuSE...as I mentioned above. It does take some getting use to.
Looking at the source for the SuSE update, it doesn't look like the second set of patches issued from openssh.org are in there. So if there are indeed exploits out there, the SuSE versions of openssh seems to be vulnerable still
* Ben Rosenberg <ben@whack.org> (Wed, Sep 17, 2003 at 12:59:18PM -0700)
* Gerhard den Hollander (gerhard@fugro-jason.com) [030917 12:45]:
* Henry Tang <henry@yucreation.com> (Wed, Sep 17, 2003 at 01:07:45PM -0700)
SuSE-7.3?
there's an openssh-2.9.9.rpm in a similar location 7.3/rpm/i386/sec1/openssh.rpm IIRC
FYI. Look at the build and date of the OpenSSH RPM for 7.3 to determine if it's the patched version.
I guess I should have mentioned that .. it's the 16september version. (16september 2003 that is).
Currently listening to: 06_STARGAZER Gerhard, <faliquid@xs4all.nl> == The Acoustic Motorbiker == -- __O Some scientists claim that hydrogen, because it is so plentiful, =`\<, is the basic building block of the universe. I dispute that. (=)/(=) I say there is more stupidity than hydrogen and that is the basic building block of the universe.
participants (10)
-
Anders Johansson -
BandiPat -
Ben Rosenberg -
Christopher Mahmood -
Gerhard den Hollander -
H du Plooy -
Henry Tang -
jrn@oregonhanggliding.com -
Michael.James@csiro.au -
Silviu Marin-Caea