lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 18 Feb 2006 13:33:42 +0100
From: OpenPKG <openpkg@...npkg.org>
To: bugtraq@...urityfocus.com
Subject: [OpenPKG-SA-2006.003] OpenPKG Security Advisory (openssh)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security@...npkg.org                         openpkg@...npkg.org
OpenPKG-SA-2006.003                                          18-Feb-2006
________________________________________________________________________

Package:             openssh
Vulnerability:       arbitrary shell command excecution
OpenPKG Specific:    no

Affected Releases:   Affected Packages:        Corrected Packages:
OpenPKG CURRENT      <= openssh-4.2p1-20060101 >= openssh-4.3p1-20060201
OpenPKG 2.5          <= openssh-4.2p1-2.5.1    >= openssh-4.2p1-2.5.2
OpenPKG 2.4          <= openssh-4.1p1-2.4.1    >= openssh-4.1p1-2.4.2
OpenPKG 2.3          <= openssh-3.9p1-2.3.0    >= openssh-3.9p1-2.3.1

Description:
  Ulrich Drepper discovered [0] a weakness in OpenSSH [1] version 4.2p1
  and earlier, caused due to the insecure use of the system(3) function
  in scp(1) when performing copy operations using filenames that are
  supplied by the user from the command line. This can be exploited to
  execute shell commands with privileges of the user running scp(1). The
  Common Vulnerabilities and Exposures (CVE) project assigned the id
  CVE-2006-0225 [2] to the problem.
________________________________________________________________________

References:
  [0] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168167 
  [1] http://www.openssh.com/
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@...npkg.org>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@...npkg.org>

iD8DBQFD9xQTgHWT4GPEy58RAmGhAJwPqGodxa5SWCErCK85VrzAhYMPUACfXeXy
h8vuY68O3h7SD1LpSCP/oHE=
=POPO
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists