lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: nc at stormvault.net (Nicolas Couture)
Subject: GLSA:  openssh (200305-01)

Daniel, 

Did you simply made packages with openssh-3.6.1p2 ?
If so, did you even test it for this vulnerability ?
Where can we get more information about Gentoo packages that are fixing 
a security threat ?

>From my own experiences openssh-3.6.1p2 is also vulnerable to this
attack. 

Nicolas Couture

On Fri, 2003-05-02 at 06:03, Daniel Ahlberg wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - - - ---------------------------------------------------------------------
> GENTOO LINUX SECURITY ANNOUNCEMENT 200305-01
> - - - ---------------------------------------------------------------------
> 
>           PACKAGE : openssh
>           SUMMARY : timing attack leads to information disclosure
>              DATE : 2003-05-02 10:03 UTC
>           EXPLOIT : remote
> VERSIONS AFFECTED : <openssh-3.6.1_p2
>     FIXED VERSION : >=openssh-3.6.1_p2
>               CVE : CAN-2003-0190
> 
> - - - ---------------------------------------------------------------------
> 
> 
> Mediaservice.net has discovered a bug in OpenSSH that allows attackers
> to identify valid users on vulnerable systems.
> 
> Read the full advisory at
> http://lab.mediaservice.net/advisory/2003-01-openssh.txt
> 
> SOLUTION
> 
> It is recommended that all Gentoo Linux users who are running
> net-misc/openssh upgrade to openssh-3.6.1_p2 as follows:
> 
> emerge sync
> emerge openssh
> emerge clean
> 
> - - - ---------------------------------------------------------------------
> aliz@...too.org - GnuPG key is available at http://cvs.gentoo.org/~aliz
> - - - ---------------------------------------------------------------------
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> 
> iD8DBQE+skJefT7nyhUpoZMRAt74AKCjytn9UHR9YILDL0eCwV18YaoP/gCgp1L/
> H9P9IVPXLlIHsJWW9XXLfUk=
> =Yz9f
> -----END PGP SIGNATURE-----
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ