-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: openssh
Announcement-ID: SuSE-SA:2001:044
Date: Mon Dec 3 14:01:19 CET 2001
Affected SuSE versions: 6.4, 7.0, 7.1, 7.2, 7.3
Vulnerability Type: various bugs
Severity (1-10): 4
SuSE default package: yes
Other affected systems: All systems shipping OpenSSH <= 2.9.9
Content of this advisory:
1) security vulnerability resolved: Various problems in OpenSSH.
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The OpenSSH daemon shipped with SuSE distributions contains various minor
bugs which allows bypassing of IP-access control in some circumstances or
the deletion of files named "cookies" if X11 forwarding is enabled.
It has also been verified that the recent remotely exploitable crc32 bug as
well as the logging-bug has been fixed in our latest ssh packages.
We strongly recommend to update to OpenSSH version 2.9.9p2. Please download
and update the packages as described in section 3. Then invoke
/etc/rc.d/sshd restart
to restart the OpenSSH daemon.
If you are logged on via sshd, then it is adviseable to perform the update
in an atjob to make sure that it can be completed if your secure shell
daemon gets killed:
rpm -Uhv openssh-*.rpm
echo "rcsshd restart" | at now
Please note that OpenSSH 2.9.9p2 is *not*
vulnerable to the crc32/deattack exploit. Some people made wrong statements
about that recently and claimed they have found exploits for this version
"in the wild" which exploits the crc32 hole against this version.
This is wrong and you can safely ignore these discussions.
If you installed the ssh-1.2.27 package instead of the openssh package no
updates should be necessary as long as you recognized the SuSE Security
Announcement SuSE-SA:2001:04 which recommends to update to the latest
ssh-1.2.27 packages.
Due to legal constraints, the packages for the 7.0 and older
distributions containing cryptographic code can be found on ftp.suse.de,
not ftp.suse.com. The distribution 7.1 and newer have all of their
update packages on ftp.suse.com.
i386 Intel Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec1/openssh-2.9.9p2-38.i386.rpm
6ba603f1115b0125abf0b62f28ba6666
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/openssh-2.9.9p2-38.src.rpm
644d74829ecaa12c6a28cc9564bb0a1c
SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec1/openssh-2.9.9p2-25.i386.rpm
0b0406a63181bf23c683add3f6f9abc3
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/openssh-2.9.9p2-25.src.rpm
5914018a06e77f7477058afa8617ab10
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec1/openssh-2.9.9p2-26.i386.rpm
0d69dce8f61317c84efde55f6cc95f10
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/openssh-2.9.9p2-26.src.rpm
3aeba61d45d243773db8d1b7eedf6924
SuSE-7.0
ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/openssh-2.9.9p2-27.i386.rpm
2defc4cf8182b1e5eb4b204224007dd6
source rpm:
ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/openssh-2.9.9p2-27.src.rpm
1999c7c42507c1c4d831daf170e88c6e
SuSE-6.4
ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/openssh-2.9.9p2-27.i386.rpm
5fe6fdee55502e81b383b5b11047cee9
source rpm:
ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/openssh-2.9.9p2-27.src.rpm
cfee6bebb8086dc2d861aeb5fff6dc17
Sparc Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/sec1/openssh-2.9.9p2-8.sparc.rpm
8dcf46c82f11c35e8812d477caacd3b2
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/openssh-2.9.9p2-8.src.rpm
27ed16f77bcabd34919681fa07fcbd1c
SuSE-7.0
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/openssh-2.9.9p2-8.sparc.rpm
a23db0e0516a935cfce8a199a48ce036
source rpm:
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/openssh-2.9.9p2-8.src.rpm
e4c6c636fe7dd5e234d89dd28564611b
AXP Alpha Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/axp/update/7.1/sec1/openssh-2.9.9p2-5.alpha.rpm
b0e29b53f247c7a8ba6d17297867730e
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/openssh-2.9.9p2-5.src.rpm
73a832a3b10876d751203aca7fd37607
SuSE-7.0
ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/openssh-2.9.9p2-6.alpha.rpm
5e07df7ce670e3918f0948495d74e23c
source rpm:
ftp://ftp.suse.de/pub/suse/axp/update/7.0/zq1/openssh-2.9.9p2-6.src.rpm
3a26418017f5af49ba707e51fa28d954
SuSE-6.4
ftp://ftp.suse.de/pub/suse/axp/update/6.4/sec1/openssh-2.9.9p2-6.alpha.rpm
c2e7364a00aef31a9d121302d316ce4f
source rpm:
ftp://ftp.suse.de/pub/suse/axp/update/6.4/zq1/openssh-2.9.9p2-6.src.rpm
d3a9299f748395912644c375e24302f7
Power PC Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec1/openssh-2.9.9p2-23.ppc.rpm
bdab314f57128accaa4855a8aedf23df
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/openssh-2.9.9p2-23.src.rpm
840bde44f9b372e637a7bdcf3b11a87e
SuSE-7.1
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/sec1/openssh-2.9.9p2-25.ppc.rpm
d3b5f2b85ce6cf9e30a0826127f5b6e4
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/openssh-2.9.9p2-25.src.rpm
888e553f06f96ddd7395ad4c241e0b69
SuSE-7.0
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/openssh-2.9.9p2-18.ppc.rpm
34eee0c543d2cf266d084d7262475573
source rpm:
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/openssh-2.9.9p2-18.src.rpm
c33d2e38303853e9363ee0beb9889b43
SuSE-6.4
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/openssh-2.9.9p2-17.ppc.rpm
4d00f9e0a85631c3e2dd721ca0784f27
source rpm:
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/openssh-2.9.9p2-17.src.rpm
685e7c8f85117384ea1205b683593b47
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
No additional information in this announcement.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum