Debian: 'ssh-nonfree' 'ssh-socks' Remote root vulnerability

    Date13 Nov 2001
    CategoryDebian
    2578
    Posted ByLinuxSecurity Advisories
    We have received reports that the "SSH CRC-32 compensation attackdetector vulnerability" is being actively exploited. This is the sameinteger type error previously corrected for OpenSSH in DSA-027-1.OpenSSH (the Debian ssh package) was fixed at that time, butssh-nonfree and ssh-socks were not.
    
    ----------------------------------------------------------------------------
    Debian Security Advisory DSA 086-1                       This email address is being protected from spambots. You need JavaScript enabled to view it. 
    http://www.debian.org/security/                                Michael Stone
    November 13, 2001
    ----------------------------------------------------------------------------
    
    Package: ssh-nonfree, ssh-socks
    Vulnerability: remote root exploit
    Debian-specific: no
    
    We have received reports that the "SSH CRC-32 compensation attack
    detector vulnerability" is being actively exploited. This is the same
    integer type error previously corrected for OpenSSH in DSA-027-1.
    OpenSSH (the Debian ssh package) was fixed at that time, but
    ssh-nonfree and ssh-socks were not.
    
    Though packages in the non-free section of the archive are not
    officially supported by the Debian project, we are taking the unusal
    step of releasing updated ssh-nonfree/ssh-socks packages for those
    users who have not yet migrated to OpenSSH. However, we do recommend
    that our users migrate to the regularly supported, DFSG-free "ssh"
    package as soon as possible. ssh 1.2.3-9.3 is the OpenSSH package
    available in Debian 2.2r4.
    
    The fixed ssh-nonfree/ssh-socks packages are available in version
    1.2.27-6.2 for use with Debian 2.2 (potato) and version 1.2.27-8 for
    use with the Debian unstable/testing distribution. Note that the new
    ssh-nonfree/ssh-socks packages remove the setuid bit from the ssh
    binary, disabling rhosts-rsa authentication. If you need this
    functionality, run
     chmod u+s /usr/bin/ssh1
    after installing the new package.
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 2.2 alias potato
    ------------------------------------
    
      Source archives:
    
         
    http://security.debian.org/dists/potato/updates/non-free/source/ssh-nonfree_1.2.27-6.2.diff.gz
          MD5 checksum: 92161c3468189f17eb17421fd2e91f1e
         http://security.debian.org/dists/potato/updates/non-free/source/ssh-nonfree_1.2.27-6.2.dsc
          MD5 checksum: 8ba9a4c2d4059b973e6c46bb6ab88958
         
    http://security.debian.org/dists/potato/updates/non-free/source/ssh-nonfree_1.2.27.orig.tar.gz
          MD5 checksum: c22bc000bee0f7d6f4845eab72a81395
    
      Alpha architecture:
    
         
    http://security.debian.org/dists/potato/updates/non-free/binary-alpha/ssh-askpass-nonfree_1.2.27-6.2_alpha.deb
          MD5 checksum: 90996c54a25e41d743826648d4160f85
         
    http://security.debian.org/dists/potato/updates/non-free/binary-alpha/ssh-nonfree_1.2.27-6.2_alpha.deb
          MD5 checksum: bd7a26a286ee8f21e17c943cacb085cc
         
    http://security.debian.org/dists/potato/updates/non-free/binary-alpha/ssh-socks_1.2.27-6.2_alpha.deb
          MD5 checksum: 4c979615edf37d2b980f1d5421f32933
    
      ARM architecture:
    
        Not yet available
    
      Intel ia32 architecture:
    
         
    http://security.debian.org/dists/potato/updates/non-free/binary-i386/ssh-askpass-nonfree_1.2.27-6.2_i386.deb
          MD5 checksum: e43c6b7ad3a6cf71d07f528ad9adb34c
         
    http://security.debian.org/dists/potato/updates/non-free/binary-i386/ssh-nonfree_1.2.27-6.2_i386.deb
          MD5 checksum: e4f6db9acb54b9e3dc75315a66207840
         
    http://security.debian.org/dists/potato/updates/non-free/binary-i386/ssh-socks_1.2.27-6.2_i386.deb
          MD5 checksum: 0eab3e6250c3aa4130ec5a2f719531e6
    
      Motorola M680x0 architecture:
    
         
    http://security.debian.org/dists/potato/updates/non-free/binary-m68k/ssh-askpass-nonfree_1.2.27-6.2_m68k.deb
          MD5 checksum: 903221f1d6b2770aacafe5ec059199bc
         
    http://security.debian.org/dists/potato/updates/non-free/binary-m68k/ssh-nonfree_1.2.27-6.2_m68k.deb
          MD5 checksum: a491728bdd38a38a0ed9257eb7d8f610
         
    http://security.debian.org/dists/potato/updates/non-free/binary-m68k/ssh-socks_1.2.27-6.2_m68k.deb
          MD5 checksum: 5c8b6771e7c287ba4794f41db771d879
    
      PowerPC architecture:
    
         
    http://security.debian.org/dists/potato/updates/non-free/binary-powerpc/ssh-askpass-nonfree_1.2.27-6.2_powerpc.deb
          MD5 checksum: c0366ff3cb037054da92b597d3c48aee
         
    http://security.debian.org/dists/potato/updates/non-free/binary-powerpc/ssh-nonfree_1.2.27-6.2_powerpc.deb
          MD5 checksum: 64eb49a847c7e2c16463375948fb1903
         
    http://security.debian.org/dists/potato/updates/non-free/binary-powerpc/ssh-socks_1.2.27-6.2_powerpc.deb
          MD5 checksum: 2b530b0590aa372c8c77cc8e80ed01e2
    
      Sun Sparc architecture:
         
    http://security.debian.org/dists/potato/updates/non-free/binary-sparc/ssh-askpass-nonfree_1.2.27-6.2_sparc.deb
          MD5 checksum: 1a1844a143bcd2daae80a70005c74084
         
    http://security.debian.org/dists/potato/updates/non-free/binary-sparc/ssh-nonfree_1.2.27-6.2_sparc.deb
          MD5 checksum: bfcc81152d02d6bc1f5a93018fe56835
         
    http://security.debian.org/dists/potato/updates/non-free/binary-sparc/ssh-socks_1.2.27-6.2_sparc.deb
          MD5 checksum: 3d69332e3c134251439b64f4e379cb68
    
    
    For not yet released architectures please refer to the appropriate
    directory  ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .
    
    ----------------------------------------------------------------------------
    For apt-get: deb  http://security.debian.org/ stable/updates main non-free
    For dpkg-ftp:
      ftp://security.debian.org/debian-security dists/stable/updates/main
      ftp://security.debian.org/debian-security dists/stable/updates/non-free
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":54.35,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":10.87,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"16","type":"x","order":"3","pct":34.78,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.