Linux Security
    Linux Security
    Linux Security

    Debian: UPDATE: 'ssh' Remote Vulnerability

    Date 25 Jun 2002
    Posted By LinuxSecurity Advisories
    This advisory is an update to DSA-134-2: the changes mainly deal withpackaging issues; if you have already successfully installed anopenssh package from a previous DSA-134 advisory you may disregardthis message.
    Debian Security Advisory DSA-134-2                   This email address is being protected from spambots. You need JavaScript enabled to view it. Michael Stone
    June 25, 2002
    Package        : ssh
    Problem type   : remote exploit
    Debian-specific: no
    This advisory is an update to DSA-134-2: the changes mainly deal with
    packaging issues; if you have already successfully installed an
    openssh package from a previous DSA-134 advisory you may disregard
    this message.
    Theo de Raadt announced that the OpenBSD team is working with ISS to
    address a remote exploit for OpenSSH (a free implementation of the
    Secure SHell protocol). They are refusing to provide any details on
    the vulnerability but instead are advising users to upgrade to the
    latest release, version 3.3.
    This version was released 22 Jun 2002 and enabled by default a feature
    called privilege seperation, in order to minimize the effect of
    exploits in the ssh network handling code. Unfortunately this release
    has a few known problems:
    * compression does not work on all operating systems since the code
      relies on specific mmap features
    * the PAM support has not been completed and may break a few PAM modules
    * keyboard interactive authentication does not work with privilege
      seperation. Most noticable for Debian users this breaks PAM modules
      which need a PAM conversation function (like the OPIE module).
    The new privilege separation support from Niels Provos changes ssh to
    use a separate non-privileged process to handle most of the work. This
    means that any vulnerability in this part of OpenSSH can never lead to
    a root compromise but only to compromise of an unprivileged account
    restricted to a chroot.
    Theo made it very clear that this new version does not fix the
    vulnerability. Instead, using the new privilege separation code
    mitigates the vulnerability since the attacker can only gain access to
    that unprivileged chroot'd account.
    Since details of the problem have not been released, the move to the
    latest release of OpenSSH portable, version 3.3p1, is the only known
    method of mitigating the risk of the reported vulnerability.
    Please note that we have not had the time to do proper QA on these
    packages; they might contain bugs or break things unexpectedly. If you
    notice any such problems (besides the ones mentioned in this advisory)
    please file a bug-report so we can investigate.
    Some notes on possible issues associated with this upgrade:
    * This package introduce a new account called `sshd' that is used in
      the privilege separation code. If no sshd account exists the package
      will try to create one. If the account already exists it will be
      re-used. If you do not want this to happen you will have to fix this
    * (relevant for potato only) This update adds a backport of version
      0.9.6c of the SSL library. This means you will have to upgrade the
      ssl package as well.
    * (relevant for potato only) This update defaults to using version 2
      of the SSH protocol. This can break existing setups where RSA
      authentication is used. You will either have to
        - add -1 to the ssh invocation to keep using SSH protocol 1 and
          your existing keys, or
        - change the Protocol line in /etc/ssh/ssh_config and/or
          /etc/ssh/sshd_config to "Protocol 1,2" to try protocol 1 before
          protocol 2, or
        - create new rsa or dsa keys for SSH protocol 2
    * sshd defaults to enabling privilege seperation, even if you do not
      explicitly enable it in /etc/ssh/sshd_config . Again, unless you have
      "UsePrivilegeSeparation no" in your sshd_config, you will be using
      privilege seperation with this package.
    * If ssh does not work for you you can try to disable compression. We
      included a patch from Solar Designer which should fix the problem
      with Linux 2.2 kernels, but there might be a few cases where this is
      not sufficient.
    * (relevant for potato only) Privilege seperation does not currently
      work with Linux 2.0 kernels
    * If for some reason you cannot use privilege seperation (e.g.,
      because you are running a 2.0 kernel) but have already installed the
      openssh 3.3p1 package, you can revert to previous behavior by adding
      "UsePrivilegeSeparation no" to your /etc/ssh/sshd_config file. *Note
      that disabling privilege seperation will leave you vulnerable to the
      security problem described in this advisory and should only be done on
      an emergency basis.*
    Some issues from previous openssh 3.3p1 packages corrected in this
    advisory (not a complete changelog):
    * (relevant for potato only) the installation question, "[do you want
      to allow protocol 2 only" no longer defaults to "yes". Users who
      answered yes to this question and also chose to regenerate their
      sshd_config file found that they could no longer connect to their
      server via protocol 1. See /usr/doc/ssh/README.Debian for instructions
      on how to enable protocol 1 if caught in this situation.
    * (relevant for potato only) the ssh package no longer conflicts with
      rsh-server, nor does it provide an rsh alternative
    * installation will no longer fail if users choose to generate
      protocol 1 keys
    Again, we regret having to release packages with larger changes and
    less testing than is our usual practice; given the potential severity
    and non-specific nature of the threat we decided that our users were
    best served by having packages available for evaluation as quickly as
    possible. We will send additional information as it comes to us, and
    will continue to work on the outstanding issues.
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    Debian GNU/Linux 2.2 alias potato
      Potato was released for alpha, arm, i386, m68k, powerpc and sparc
      Packages for m68k are not available at this moment.
      Source archives:
    Size/MD5 checksum:    33694 8b83048b2bd7838703aaba40ae119810
    Size/MD5 checksum:   831189 226fdde5498c56288e777c7a697996e0
    Size/MD5 checksum:      871 bc2713452395932dc716df3cdb55a905
    Size/MD5 checksum:  2153980 c8261d93317635d56df55650c6aeb3dc
    Size/MD5 checksum:    37925 718ffc86669ae06b22d77c659400f4e8
    Size/MD5 checksum:      784 b197de235e0d10f7bb66b4751808a033
      Architecture independent packages:
    Size/MD5 checksum:      976 6b39f5a320b1c8bdbba05e2c8b041b70
      alpha architecture (DEC Alpha)
    Size/MD5 checksum:   863748 ae52add3e16fa3ac768c6f90851061ef
    Size/MD5 checksum:    33204 b37dfcf4220fa0f56621aea9ea57a29e
    Size/MD5 checksum:   589696 f0263fe6848b8bd09ad07a370ed6310a
    Size/MD5 checksum:   746344 5a06b3db8f6eabf063c3099cb539ffe9
    Size/MD5 checksum:  1548926 377068d478722db72c2fe52f3c23312b
      arm architecture (ARM)
    Size/MD5 checksum:   661912 e0f863a5d9ea719440ddfd7cd46e0f2b
    Size/MD5 checksum:    32424 2127978be04489fddd033dcbe1b8200c
    Size/MD5 checksum:   468106 c1dc499d7a06db8e831906f942d1192e
    Size/MD5 checksum:  1348440 7fb0b6f32b6eb2dfc78391a302bd0e02
    Size/MD5 checksum:   728932 0a9872153979c364d41208082c80772d
      i386 architecture (Intel ia32)
    Size/MD5 checksum:    32722 5ae7edb8eb38e4b01eeae2b080953dc7
    Size/MD5 checksum:   640376 7b9926d3bb35f65150e7f2be01da8b66
    Size/MD5 checksum:  1290006 362451bafdf4fe2104e54a0336893519
    Size/MD5 checksum:   461994 a1c785ce6982b9031410362f124d873a
    Size/MD5 checksum:   730338 747306c7e4ef0b767cb2985b74047b05
      powerpc architecture (PowerPC)
    Size/MD5 checksum:    32418 26a91d2f170eff0dbd68810de496bffd
    Size/MD5 checksum:   680472 c3d312c2bc0866c7ed66be67964386d1
    Size/MD5 checksum:   726602 93f47a77404ad9164565aac7ff901e43
    Size/MD5 checksum:  1384596 ff8ce54bc5fa3e0913ad1f359c36161b
    Size/MD5 checksum:   502776 a09451aa914242e199eb8e5de529ec26
      sparc architecture (Sun SPARC/UltraSPARC)
    Size/MD5 checksum:    35274 fc253370c6c9982015458b5dccc73f66
    Size/MD5 checksum:   687500 ad2e133fa6e3b1878f0a099748c541e6
    Size/MD5 checksum:  1338558 812adef25bd5abab26c47451dde84ba8
    Size/MD5 checksum:   482712 d821248f15cc4e1fa6574e4cdfdf02e0
    Size/MD5 checksum:   738056 d27a607775a80eb4aba24d29b35fe6ff
    Debian GNU/Linux 3.0 alias woody
      Woody will be released for alpha, arm, hppa, i386, ia64, m68k, mips,
      mipsel, powerpc, s390 and sparc. Packages for m68k are not available
      at this moment.
      Source archives:
    Size/MD5 checksum:      815 9b2d9ce52d08a1578edbfda9617231d9
    Size/MD5 checksum:   831189 226fdde5498c56288e777c7a697996e0
    Size/MD5 checksum:    34040 778ca8992b1bf7057d07f12018fb5bb3
      alpha architecture (DEC Alpha)
    Size/MD5 checksum:   844780 48ba4028203c023213718f87b1bfa537
    Size/MD5 checksum:    33604 15a9c4de1b4957c6a30046adc085adac
      arm architecture (ARM)
    Size/MD5 checksum:   653722 1a468897f1b4752fce130ae3f12034b2
    Size/MD5 checksum:    32830 34b2f0346a718c69aeaa87a15ca6773b
      i386 architecture (Intel ia32)
    Size/MD5 checksum:    33114 74c669d2646536853e044b13e62a2567
    Size/MD5 checksum:   638128 728e289d717ecc7c3a55d45091f3449e
      ia64 architecture (Intel ia64)
    Size/MD5 checksum:   998226 2fe4594fc8c748745f4f066a99195c04
    Size/MD5 checksum:    34568 9bd4d13b6e9c364f650b0ab99bf007ba
      mipsel architecture (MIPS (Little Endian))
    Size/MD5 checksum:   722614 b31db1cd4c9599aa9ba83c904c5c39d7
    Size/MD5 checksum:    33082 6f7ac7c2ecbd39ceb5d243854197f1c5
      powerpc architecture (PowerPC)
    Size/MD5 checksum:    32856 b6827c0d4bef215ab5661fa16b637f32
    Size/MD5 checksum:   677164 143803bd2413ee67886706246717734d
      sparc architecture (Sun SPARC/UltraSPARC)
    Size/MD5 checksum:    32902 5af151b5d6ccf438fd6e07c763de3d4a
    Size/MD5 checksum:   681752 d1b5c205d58d495573b51a98a13a96df
    apt-get: deb stable/updates main
    dpkg-ftp: dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.


    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"8","type":"x","order":"1","pct":27.59,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"6","type":"x","order":"2","pct":20.69,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"15","type":"x","order":"3","pct":51.72,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.