lists.openwall.net   lists  /  announce  john-users  owl-users  popa3d-users  /  xvendor  oss-security  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4 
Open Source and information security mailing list archives
 
Order Openwall GNU/*/Linux 2.0 on a CD with delivery worldwide
[<prev] [next>] [<thread-prev] [month] [year] [list] 
From: nc at stormvault.net (Nicolas Couture)
Subject: GLSA:  openssh (200305-01)

Daniel, 

Did you simply made packages with openssh-3.6.1p2 ?
If so, did you even test it for this vulnerability ?
Where can we get more information about Gentoo packages that are fixing 
a security threat ?

>From my own experiences openssh-3.6.1p2 is also vulnerable to this
attack. 

Nicolas Couture

On Fri, 2003-05-02 at 06:03, Daniel Ahlberg wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - - - ---------------------------------------------------------------------
> GENTOO LINUX SECURITY ANNOUNCEMENT 200305-01
> - - - ---------------------------------------------------------------------
> 
>           PACKAGE : openssh
>           SUMMARY : timing attack leads to information disclosure
>              DATE : 2003-05-02 10:03 UTC
>           EXPLOIT : remote
> VERSIONS AFFECTED : <openssh-3.6.1_p2
>     FIXED VERSION : >=openssh-3.6.1_p2
>               CVE : CAN-2003-0190
> 
> - - - ---------------------------------------------------------------------
> 
> 
> Mediaservice.net has discovered a bug in OpenSSH that allows attackers
> to identify valid users on vulnerable systems.
> 
> Read the full advisory at
> http://lab.mediaservice.net/advisory/2003-01-openssh.txt
> 
> SOLUTION
> 
> It is recommended that all Gentoo Linux users who are running
> net-misc/openssh upgrade to openssh-3.6.1_p2 as follows:
> 
> emerge sync
> emerge openssh
> emerge clean
> 
> - - - ---------------------------------------------------------------------
> aliz@...too.org - GnuPG key is available at http://cvs.gentoo.org/~aliz
> - - - ---------------------------------------------------------------------
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> 
> iD8DBQE+skJefT7nyhUpoZMRAt74AKCjytn9UHR9YILDL0eCwV18YaoP/gCgp1L/
> H9P9IVPXLlIHsJWW9XXLfUk=
> =Yz9f
> -----END PGP SIGNATURE-----
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux