English | Deutsch | Español | Português
 UserID:
 Passwd:
new user
 About:   Dedicated  | Advanced  | Standard  | Recurring  | No Risk  | Desktop  | Basic  | Single  | Security Seal  | FAQ
  Price/Feature Summary  | Order  | New Vulnerabilities  | Confidentiality  | Vulnerability Search
 Vulnerability   
Search   
    Search 75516 CVE descriptions
and 39786 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : openssh
SUMMARY   : Remote vulnerability in openssh 
DATE      : 2002-06-28 15:27:00
ID        : CLA-2002:502
RELEVANT
RELEASES  : 6.0, 7.0, 8

- -------------------------------------------------------------------------

DESCRIPTION
 OpenSSH[1] is a very popular and versatile tool that uses encrypted
 connections between hosts and is commonly used for remote
 administration.
 
 ISS[5] published[4] an advisory concerning a remote vulnerability in
 OpenSSH that could be used by remote attackers to obtain root
 privileges on the server where OpenSSH is running.
 
 The vulnerability is present in two authentication mechanisms:
 ChallengeResponse and PAMAuthenticationViaKbdInt. If these mechanisms
 are not necessary in your installation, they can be disabled by the
 following entries in /etc/ssh/sshd_config:
 
 ChallengeResponseAuthentication no
 PAMAuthenticationViaKbdInt no
 
 Please note that any changes made to the sshd_config file require a
 service restart to be effective.
 
 To minimize the impact of this vulnerability the 3.3p1 version of
 OpenSSH has been made available previously[2]. That version, which
 still has this vulnerability, implements by default the
 PrivilegeSeparation mechanism which greatly reduces the impact of
 this and potential future vulnerabilities in OpenSSH. The 3.4p1
 version of OpenSSH has now been made available and it includes fixes
 for the reported vulnerabilities.
 
 Even though the vulnerability is fixed in version 3.4p1, users are
 still advised to keep using the PrivilegeSeparation feature. There
 are, though, still a few problems with certain authentication methods
 and PrivilegeSeparation that are expected to be solved in future
 releases. Whenever appropriate, new packages will be provided as
 bugfix advisories. In particular, the packages provided here contain
 a patch from Solar Designer (from the Openwall Project[4]) which
 allows the use of PrivilegeSeparation together with data compression
 in 2.2 kernels. Next releases might not need this patch anymore.
 
 If for some reason the use of PrivilegeSeparation is not possible in
 some setup, it can be disabled via the following entry in
 /etc/ssh/sshd_config:
 
 UsePrivilegeSeparation no


SOLUTION
 It is recommended that all OpenSSH users upgrade their packages.
 
 The ssh service will be automatically restarted during the upgrade if
 it is already running. Current ssh sessions will remain open during
 the restart.
 
 
 REFERENCES
 1.http://www.openssh.com
 2.http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000500
 3.http://www.cert.org/advisories/CA-2002-18.html
 4.http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584
 5.http://www.iss.net/
 6.http://www.openwall.com/Owl/


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openssh-3.4p1-1U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-3.4p1-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-askpass-3.4p1-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-askpass-gnome-3.4p1-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-clients-3.4p1-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-server-3.4p1-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/openssh-3.4p1-1U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-3.4p1-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-askpass-3.4p1-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-askpass-gnome-3.4p1-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-clients-3.4p1-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-server-3.4p1-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/openssh-3.4p1-1U8_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-3.4p1-1U8_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-askpass-3.4p1-1U8_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-askpass-gnome-3.4p1-1U8_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-clients-3.4p1-1U8_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-server-3.4p1-1U8_1cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:
 - add the following line to /etc/apt/sources.list if it is not there yet
   (you may also use linuxconf to do this):

 rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9HKrn42jd0JmAcZARAjULAKDpqT6UwfBQaBmytic13I9hhN6aiwCg3cKb
CnsDqsAoqqzC4J/pyGTY4Ik=
=IIV9
-----END PGP SIGNATURE-----

New User Registration
Email:
UserID:
Passwd:
Please email me your monthly newsletters, informing the latest services, improvements & surveys.
Please email me a vulnerability test announcement whenever a new test is added.
   Privacy
Registered User Login
 
UserID:   
Passwd:  

 Forgot userid or passwd?
Email/Userid:




Home | About Us | Contact Us | Partner Programs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe | Whois

© 1998-2014 E-Soft Inc. All rights reserved.