SuSE: 'openssh/ssh' vulnerability

    Date24 Nov 2000
    CategorySuSE
    2543
    Posted ByLinuxSecurity Advisories
    Many vulnerabilities have been found in the openssh package, along with a compilation problem in the openssh and ssh packages in the SuSE-7.0 distribution.
    
    -----BEGIN PGP SIGNED MESSAGE-----
    
    ______________________________________________________________________________
    
                            SuSE Security Announcement
    
            Package:                openssh/ssh
            Announcement-ID:        SuSE-SA:2000:47
            Date:                   Friday, November 24th, 2000 16:30 MET
            Affected SuSE versions: 6.4, 7.0
            Vulnerability Type:     clientside remote vulnerability
            Severity (1-10):        6
            SuSE default package:   yes
            Other affected systems: systems w/ openssh versions before 2.3.0
    
        Content of this advisory:
            1) security vulnerability resolved: openssh
               problem description, discussion, solution and upgrade information
            2) pending vulnerabilities, solutions, workarounds
            3) standard appendix (further information)
    
    ______________________________________________________________________________
    
    1)  problem description, brief discussion, solution, upgrade information
    
        openssh is an implementation of the secure shell protocol, available under
        the BSD license, primarily maintained by the OpenBSD Project.
    
        Many vulnerabilities have been found in the openssh package, along with
        a compilation problem in the openssh and ssh packages in the SuSE-7.0 
        distribution: An openssh client (the ssh program) can accept X11- or
        ssh-agent forwarding requests even though these forwarding capabilities
        have not been requested by the client side after successful authentication.
        Using these weaknesses, an attacker could gain access to the 
        authentication agent which may hold multiple user-owned authentification
        identities, or to the X-server on the client side as if requested by the
        user. These problems have been found/reported by Markus Friedl 
        <This email address is being protected from spambots. You need JavaScript enabled to view it.> and Jacob Langseth 
        <This email address is being protected from spambots. You need JavaScript enabled to view it.>.
        A problem in the configure script in both the openssh and ssh package
        on the SuSE-7.0 distribution caused the sshd programs to not be linked
        against the tcp-wrapper library. By consequence, access rules for the sshd
        server-side service as configured in /etc/hosts.allow and /etc/hosts.deny
        were ignored. This has been reported to us by Lutz Pressler <This email address is being protected from spambots. You need JavaScript enabled to view it.>.
        We thank these individuals for their contribution.
        Sebastian Krahmer <This email address is being protected from spambots. You need JavaScript enabled to view it.> found a small tmp file handling
        problem in the perl script `make-ssh-known-hosts´. A (local) attacker
        could trick the perl program to follow symbolic links and thereby 
        overwriting files with the privileges of the user calling 
        make-ssh-known-hosts.
    
        The solution for the first three problems (agent+X11-forwarding, missing
        libwrap support) is an upgrade to a newer package. The tmp file problem 
        can be easily solved by hand. Please see the special install instructions
        below.
    
        Note: Upon public request, we also provide update packages for the 
              SuSE-6.3 Intel distribution, even though the openssh packages
              was not included in this distribution.
    
    
        special install instructions:
        =====================================
    
        To find out which package (ssh or openssh) you use, please use the command
        `rpm -qf /usr/bin/ssh´.
        __
        case openssh: 
            Please follow the instructions below to download and install
            the update package. Afterwards, restart the sshd daemon:
                   `rcsshd restart´.
        __
        case ssh:
          before SuSE-7.0 (excluding 7.0):
              In the file /usr/bin/make-ssh-known-hosts, please change the line
              (around line 102)
    
                $private_ssh_known_hosts = "/tmp/ssh_known_hosts$$";
              to read
                $private_ssh_known_hosts = "~/ssh_known_hosts$$";
              and you are done. 
    
          SuSE-7.0: Please follow the instructions below to download
              and install the update package. Afterwards, restart the sshd daemon:
                    `rcsshd restart´    
    
    
        Please choose the update package(s) for your distribution from the URLs
        listed below and download the necessary rpm files. Then, install the
        package using the command `rpm -Uhv file.rpm´. rpm packages have an 
        internal md5 checksum that protects against file corruption. You can
        verify this checksum using the command (independently from the md5 
        signatures below)
            `rpm --checksig --nogpg file.rpm',
        The md5 sums under each package are to prove the package authenticity,
        independently from the md5 checksums in the rpm package format.
    
    
        i386 Intel Platform:
    
        SuSE-7.0
         ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/openssh-2.3.0p1-0.i386.rpm
          3c7b9044ffb64f9f74c904eb2b278eb2
        source rpm:
         ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm
          aebcda19518208497671e752bbdfaeb8
    
        SuSE-6.4
         ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/openssh-2.3.0p1-0.i386.rpm
          04c17b0eba99c798ae401fb9aafbc7e4
        source rpm:
         ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm
          2003ab41cfa32ef39b11b4977ef4cd1f
    
        SuSE-6.3
         ftp://ftp.suse.de/pub/suse/i386/update/6.3/sec1/openssh-2.3.0p1-0.i386.rpm
          04c17b0eba99c798ae401fb9aafbc7e4
        source rpm:
         ftp://ftp.suse.de/pub/suse/i386/update/6.3/zq1/openssh-2.3.0p1-0.src.rpm
          2003ab41cfa32ef39b11b4977ef4cd1f
    
    
        Sparc Platform:
    
        SuSE-7.0
         ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/openssh-2.3.0p1-0.sparc.rpm
          898aaaacee88777429496f1a5658076f
        source rpm:
         ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm
          97868b04de04a0baafcee69ebbbe6079
    
    
        AXP Alpha Platform:
    
        SuSE-7.0
         ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/openssh-2.3.0p1-0.alpha.rpm
          dd12c60b2744455780c976b115b26f27
        source rpm:
         ftp://ftp.suse.de/pub/suse/axp/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm
          6df5af1a88fda4d8fc1a493e4d10bc01
    
        SuSE-6.4
         ftp://ftp.suse.de/pub/suse/axp/update/6.4/sec1/openssh-2.3.0p1-0.alpha.rpm
          99de4bb6f183be1b69a610744f4566bc
        source rpm:
         ftp://ftp.suse.de/pub/suse/axp/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm
          aa56e311205ba58478c815760452367e
    
    
        PPC Power PC Platform:
    
        SuSE-7.0
         ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/openssh-2.3.0p1-0.ppc.rpm
          72f7c339991e54a476585012423dda62
        source rpm:
         ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm
          749ccc55396944ad43c1977e55903958
    
        SuSE-6.4
         ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/openssh-2.3.0p1-0.ppc.rpm
          59727fa055e5d835bc4e455302b1ef49
        source rpm:
         ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm
          7e42dbad4e50a2ad9156e94cf2a93955
    
    ______________________________________________________________________________
    
    2)  Pending vulnerabilities in SuSE Distributions and Workarounds:
    
        Clarification:
        In my message (Subject: "SuSE: miscellaneous"), dated Wed, 15 Nov 2000,
        concerning the paragraph about runtime linking problems in gs 
        (GhostScript) , I have stated that the problem will be fixed in future
        versions of the SuSE distribution. This does not touch the fact that we
        will of course provide fixes for the older distributions.
    
    
        - pine
    
          The packages (version 4.30) are on our ftp server and can be downloaded.
          The SuSE security announcement is pending.
    
    
        - netscape
    
          Michal Zalewski <This email address is being protected from spambots. You need JavaScript enabled to view it.> has reported a buffer overflow
          in Netscape's html parser code. A specially crafted html document may
          cause the browser to execute arbitrary code as the user calling the
          netscape program. The packages are available for download on ftp.suse.com.
          A security announcement is on the way to address the issue.
    
        - gs (ghostscript)
    
          Two vulnerabilities have been found in the ghostscript package as shipped
          with SuSE distributions: Insecure temporary file handling and a linker
          problem that could make gs runtime-link against ./libc.so.6.
          We're currently working on update packages. In the meanwhile, it is 
          advised to not run gs or applications that call gs from within a world-
          writeable directory.
    
    
        - jed
    
          The text editor jed saves files in /tmp upon emergency termination in an
          insecure way. This problem was fixed with the release of SuSE-6.3 after
          a SuSE-internal code audit by Thomas Biege <This email address is being protected from spambots. You need JavaScript enabled to view it.>. The 
          information about the existence of this bug was not communicated to the
          public because the editor was not very widely used at that time.
          We will provide update packages for the SuSE releases 6.0, 6.1 and 6.2
          shortly.
    ______________________________________________________________________________
    
    3)  standard appendix:
    
        SuSE runs two security mailing lists to which any interested party may
        subscribe:
    
        This email address is being protected from spambots. You need JavaScript enabled to view it.
            -   general/linux/SuSE security discussion. 
                All SuSE security announcements are sent to this list.
                To subscribe, send an email to 
                    <This email address is being protected from spambots. You need JavaScript enabled to view it.>.
    
        This email address is being protected from spambots. You need JavaScript enabled to view it.
            -   SuSE's announce-only mailing list.
                Only SuSE's security annoucements are sent to this list.
                To subscribe, send an email to
                    <This email address is being protected from spambots. You need JavaScript enabled to view it.>.
    
        For general information or the frequently asked questions (faq) 
        send mail to:
            <This email address is being protected from spambots. You need JavaScript enabled to view it.> or
            <This email address is being protected from spambots. You need JavaScript enabled to view it.> respectively.
    
        ===============================================
        SuSE's security contact is <This email address is being protected from spambots. You need JavaScript enabled to view it.>.
        ===============================================
    
    Regards,
    Roman Drahtmüller.
    - - -- 
     -                                                                      -
    | Roman Drahtmüller      <This email address is being protected from spambots. You need JavaScript enabled to view it.> //          "Caution: Cape does |
      SuSE GmbH - Security           Phone: //       not enable user to fly."
    | Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
     -                                                                      -
    ______________________________________________________________________________
    
        The information in this advisory may be distributed or reproduced,
        provided that the advisory is not modified in any way.
        SuSE GmbH makes no warranties of any kind whatsoever with respect 
        to the information contained in this security advisory.
    
    Type Bits/KeyID    Date       User ID
    pub  2048/3D25D3D9 1999/03/06 SuSE Security Team <This email address is being protected from spambots. You need JavaScript enabled to view it.>
    
    - -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: 2.6.3i
    
    mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
    BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
    JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
    1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
    P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
    cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
    VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
    yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
    tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
    xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
    Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
    choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
    BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
    v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
    x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
    Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
    MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
    saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
    L0oixF12Cg==
    =pIeS
    - -----END PGP PUBLIC KEY BLOCK-----
    
    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.3i
    Charset: noconv
    
    iQEVAwUBOh6OSney5gA9JdPZAQFsKAf/Rn7V0D4N4nRRhWcYvvtNeIYfYsitOByR
    7W/Q1Mbh3WIjDehw+3enCZi9PBB5GnoMVyMRthaUH1+1zY5DT8q/bkpgvhW3pD+F
    pP/ksNRwJte2mZNdd/7UUu/cS8ditCIRO65JGyttqdU6VhoGLFgXiZPE0YWcfyJj
    VoCRR4Jv6peCodSZdfOe5DVZUTfZATdp8Fm1A5+0XAVwfgr3n/J/aoJgkRwWJ/Kr
    szGp7Q9TeIOzKZJOHxwKnQ+c+8ge0F2h02WsI8cq6B8HMhVwYnV4rXU4E7CmYnzm
    sn6lKj7qTykqajNi1zqPjGpUDNU7gH1L5zMXiiisgkacT9bavwF7lw==
    =Uskv
    -----END PGP SIGNATURE-----
    
    
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"23","type":"x","order":"1","pct":56.1,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":12.2,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"13","type":"x","order":"3","pct":31.71,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.