lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: kernelclue at hushmail.com (kernelclue@...hmail.com)
Subject: Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability

OpenSSH runs on a number of platforms, Windows included.  To say this
reflects on GNU/Linux or any Linux distro is just nonsense.

On Tue, 16 Sep 2003 11:29:30 -0700 Dave Monk <dave@...maneater.com> wrote:
>Recent security advisories featuring the operating system known as
>'GNU/Linux' (formerly minix) has had a negative effect on the
>listserv.
>
>The problem stems from the polymorphic, virus-like phenomenon also
>known as the 'Linux distro', the Linux distro allows any single
>permutation of a base Linux install (such as location of the mail
>spool) to actually qualify and require an entire new operating
>system distribution.  At this point in time there are over 50
>distros out there.
>
>The cascade failure effect is that the minute a hole or flaw in
>a
>base Linux subsystem such as the kernel or system tools immediately
>causes a flood of 'vendor' emails sent to bugtraq describing each
>way to disable/upgrade the broken feature on their OS.
>
>The effect is that the 'signal to stupid-linux-bug ratio' on the
>lists gets completely out of whack thereby diluting the utility
>of the list.
>
>Solutions:
>
>  None. (how do you expect to stop a tidal wave of suicidal VC money?)
>
>Workarounds:
>
>1) All advisories should be filtered through RMS, which would achieve
>   the desired effect of delaying their posting indefinitely.
>2) All such advisories should be prefixed by '[YASLB]' in the subject
>line
>   (yet another stupid linux bug) so I can filter this stupid crap.
>
>thanks,
>everyone
>
>
>bugzilla@...hat.com (bugzilla@...hat.com) wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> - ------------------------------------------------------------
>---------
>>                    Red Hat Security Advisory
>> 
>> Synopsis:          Updated OpenSSH packages fix potential vulnerability
>> Advisory ID:       RHSA-2003:279-01
>> Issue date:        2003-09-16
>> Updated on:        2003-09-16
>> Product:           Red Hat Linux
>> Keywords:          
>> Cross references:  
>> Obsoletes:         RHSA-2003:222
>> CVE Names:         CAN-2003-0693
>> - ------------------------------------------------------------
>---------
>> 
>> 1. Topic:
>> 
>> Updated OpenSSH packages are now available that fix a bug that
>may be
>> remotely exploitable.
>> 
>> 2. Relevant releases/architectures:
>> 
>> Red Hat Linux 7.1 - i386
>> Red Hat Linux 7.2 - i386, ia64
>> Red Hat Linux 7.3 - i386
>> Red Hat Linux 8.0 - i386
>> Red Hat Linux 9 - i386
>> 
>> 3. Problem description:
>> 
>> OpenSSH is a suite of network connectivity tools that can be used
>to
>> establish encrypted connections between systems on a network and
>can
>> provide interactive login sessions and port forwarding, among
>other functions.
>> 
>> The OpenSSH team has announced a bug which affects the OpenSSH
>buffer
>> handling code.  This bug has the potential of being remotely exploitable.
>> 
>> All users of OpenSSH should immediately apply this update which
>contains a
>> backported fix for this issue.
>> 
>> 4. Solution:
>> 
>> Before applying this update, make sure all previously released
>errata
>> relevant to your system have been applied.
>> 
>> To update all RPMs for your particular architecture, run:
>> 
>> rpm -Fvh [filenames]
>> 
>> where [filenames] is a list of the RPMs you wish to upgrade. 
>Only those
>> RPMs which are currently installed will be updated.  Those RPMs
>which are
>> not installed but included in the list will not be updated.  Note
>that you
>> can also use wildcards (*.rpm) if your current directory *only*
>contains the
>> desired RPMs.
>> 
>> Please note that this update is also available via Red Hat Network.
> Many
>> people find this an easier way to apply updates.  To use Red Hat
>Network,
>> launch the Red Hat Update Agent with the following command:
>> 
>> up2date
>> 
>> This will start an interactive process that will result in the
>appropriate
>> RPMs being upgraded on your system.
>> 
>> If up2date fails to connect to Red Hat Network due to SSL Certificate
>>
>> Errors, you need to install a version of the up2date client with
>an updated 
>> certificate.  The latest version of up2date is available from
>the Red Hat 
>> FTP site and may also be downloaded directly from the RHN website:
>> 
>> https://rhn.redhat.com/help/latest-up2date.pxt
>> 
>> 5. RPMs required:
>> 
>> Red Hat Linux 7.1:
>> 
>> SRPMS:
>> ftp://updates.redhat.com/7.1/en/os/SRPMS/openssh-3.1p1-9.src.rpm
>> 
>> i386:
>> ftp://updates.redhat.com/7.1/en/os/i386/openssh-3.1p1-9.i386.rpm
>> ftp://updates.redhat.com/7.1/en/os/i386/openssh-clients-3.1p1-
>9.i386.rpm
>> ftp://updates.redhat.com/7.1/en/os/i386/openssh-server-3.1p1-9.i386.rpm
>> ftp://updates.redhat.com/7.1/en/os/i386/openssh-askpass-3.1p1-
>9.i386.rpm
>> ftp://updates.redhat.com/7.1/en/os/i386/openssh-askpass-gnome-
>3.1p1-9.i386.rpm
>> 
>> Red Hat Linux 7.2:
>> 
>> SRPMS:
>> ftp://updates.redhat.com/7.2/en/os/SRPMS/openssh-3.1p1-10.src.rpm
>> 
>> i386:
>> ftp://updates.redhat.com/7.2/en/os/i386/openssh-3.1p1-10.i386.rpm
>> ftp://updates.redhat.com/7.2/en/os/i386/openssh-clients-3.1p1-
>10.i386.rpm
>> ftp://updates.redhat.com/7.2/en/os/i386/openssh-server-3.1p1-10.i386.rpm
>> ftp://updates.redhat.com/7.2/en/os/i386/openssh-askpass-3.1p1-
>10.i386.rpm
>> ftp://updates.redhat.com/7.2/en/os/i386/openssh-askpass-gnome-
>3.1p1-10.i386.rpm
>> 
>> ia64:
>> ftp://updates.redhat.com/7.2/en/os/ia64/openssh-3.1p1-10.ia64.rpm
>> ftp://updates.redhat.com/7.2/en/os/ia64/openssh-clients-3.1p1-
>10.ia64.rpm
>> ftp://updates.redhat.com/7.2/en/os/ia64/openssh-server-3.1p1-10.ia64.rpm
>> ftp://updates.redhat.com/7.2/en/os/ia64/openssh-askpass-3.1p1-
>10.ia64.rpm
>> ftp://updates.redhat.com/7.2/en/os/ia64/openssh-askpass-gnome-
>3.1p1-10.ia64.rpm
>> 
>> Red Hat Linux 7.3:
>> 
>> SRPMS:
>> ftp://updates.redhat.com/7.3/en/os/SRPMS/openssh-3.1p1-10.src.rpm
>> 
>> i386:
>> ftp://updates.redhat.com/7.3/en/os/i386/openssh-3.1p1-10.i386.rpm
>> ftp://updates.redhat.com/7.3/en/os/i386/openssh-clients-3.1p1-
>10.i386.rpm
>> ftp://updates.redhat.com/7.3/en/os/i386/openssh-server-3.1p1-10.i386.rpm
>> ftp://updates.redhat.com/7.3/en/os/i386/openssh-askpass-3.1p1-
>10.i386.rpm
>> ftp://updates.redhat.com/7.3/en/os/i386/openssh-askpass-gnome-
>3.1p1-10.i386.rpm
>> 
>> Red Hat Linux 8.0:
>> 
>> SRPMS:
>> ftp://updates.redhat.com/8.0/en/os/SRPMS/openssh-3.4p1-5.src.rpm
>> 
>> i386:
>> ftp://updates.redhat.com/8.0/en/os/i386/openssh-3.4p1-5.i386.rpm
>> ftp://updates.redhat.com/8.0/en/os/i386/openssh-clients-3.4p1-
>5.i386.rpm
>> ftp://updates.redhat.com/8.0/en/os/i386/openssh-server-3.4p1-5.i386.rpm
>> ftp://updates.redhat.com/8.0/en/os/i386/openssh-askpass-3.4p1-
>5.i386.rpm
>> ftp://updates.redhat.com/8.0/en/os/i386/openssh-askpass-gnome-
>3.4p1-5.i386.rpm
>> 
>> Red Hat Linux 9:
>> 
>> SRPMS:
>> ftp://updates.redhat.com/9/en/os/SRPMS/openssh-3.5p1-9.src.rpm
>> 
>> i386:
>> ftp://updates.redhat.com/9/en/os/i386/openssh-3.5p1-9.i386.rpm
>> ftp://updates.redhat.com/9/en/os/i386/openssh-clients-3.5p1-9.i386.rpm
>> ftp://updates.redhat.com/9/en/os/i386/openssh-server-3.5p1-9.i386.rpm
>> ftp://updates.redhat.com/9/en/os/i386/openssh-askpass-3.5p1-9.i386.rpm
>> ftp://updates.redhat.com/9/en/os/i386/openssh-askpass-gnome-3.5p1-

>9.i386.rpm
>> 
>> 
>> 
>> 6. Verification:
>> 
>> MD5 sum                          Package Name
>> - ------------------------------------------------------------
>--------------
>> 68c4a788b259ac5d80696344a1635238 7.1/en/os/SRPMS/openssh-3.1p1-
>9.src.rpm
>> 2cb116a25b5d3f2ae0290c2b02eb822a 7.1/en/os/i386/openssh-3.1p1-
>9.i386.rpm
>> 8871705678463c84f5bac0d7e314c51d 7.1/en/os/i386/openssh-askpass-
>3.1p1-9.i386.rpm
>> d40669604c1003d5fa56a0fe8f5f259f 7.1/en/os/i386/openssh-askpass-
>gnome-3.1p1-9.i386.rpm
>> ad58192a0988ae2ba28303892344dc15 7.1/en/os/i386/openssh-clients-
>3.1p1-9.i386.rpm
>> 275ab4661dfef3d2331a044723728ba8 7.1/en/os/i386/openssh-server-
>3.1p1-9.i386.rpm
>> 8a643b9a1c2081510494bcfe81d704da 7.2/en/os/SRPMS/openssh-3.1p1-
>10.src.rpm
>> 41d575bf0e8740dea7be6f228cd49a06 7.2/en/os/i386/openssh-3.1p1-
>10.i386.rpm
>> 4b768a29889a977e780f40829767f139 7.2/en/os/i386/openssh-askpass-
>3.1p1-10.i386.rpm
>> c6ade41287005e1bc3e773d489571b2f 7.2/en/os/i386/openssh-askpass-
>gnome-3.1p1-10.i386.rpm
>> ac2a157d5527b94629b393709dafee88 7.2/en/os/i386/openssh-clients-
>3.1p1-10.i386.rpm
>> dfd86218d209c998c1f5877470e08ee3 7.2/en/os/i386/openssh-server-
>3.1p1-10.i386.rpm
>> 35ed02df36d62ae2ae388bdb1a2fde8b 7.2/en/os/ia64/openssh-3.1p1-
>10.ia64.rpm
>> 00efc09f44de8e8757ed002b1c8f33d1 7.2/en/os/ia64/openssh-askpass-
>3.1p1-10.ia64.rpm
>> 0a08a3bf5bdd95fb718c9f588aeb19a5 7.2/en/os/ia64/openssh-askpass-
>gnome-3.1p1-10.ia64.rpm
>> ad1d2c29d579622abeb9aaddc3ba2205 7.2/en/os/ia64/openssh-clients-
>3.1p1-10.ia64.rpm
>> baa9c271eea7d6d3d49fc14d4cc6cd20 7.2/en/os/ia64/openssh-server-
>3.1p1-10.ia64.rpm
>> 8a643b9a1c2081510494bcfe81d704da 7.3/en/os/SRPMS/openssh-3.1p1-
>10.src.rpm
>> 41d575bf0e8740dea7be6f228cd49a06 7.3/en/os/i386/openssh-3.1p1-
>10.i386.rpm
>> 4b768a29889a977e780f40829767f139 7.3/en/os/i386/openssh-askpass-
>3.1p1-10.i386.rpm
>> c6ade41287005e1bc3e773d489571b2f 7.3/en/os/i386/openssh-askpass-
>gnome-3.1p1-10.i386.rpm
>> ac2a157d5527b94629b393709dafee88 7.3/en/os/i386/openssh-clients-
>3.1p1-10.i386.rpm
>> dfd86218d209c998c1f5877470e08ee3 7.3/en/os/i386/openssh-server-
>3.1p1-10.i386.rpm
>> 9b0e321ba85cb0d0d92aa8d2215b660b 8.0/en/os/SRPMS/openssh-3.4p1-
>5.src.rpm
>> 98eec1cabf75d33b4dab5cbcc1fa3916 8.0/en/os/i386/openssh-3.4p1-
>5.i386.rpm
>> 40a5f106abe732b2de667d8eea533bfb 8.0/en/os/i386/openssh-askpass-
>3.4p1-5.i386.rpm
>> 2d7066401fdffdc33d8432c5a6e15bf2 8.0/en/os/i386/openssh-askpass-
>gnome-3.4p1-5.i386.rpm
>> 437bf2bd207673ce3ab9632e6c862972 8.0/en/os/i386/openssh-clients-
>3.4p1-5.i386.rpm
>> b1d6e055c373770fac486b1c32b1110b 8.0/en/os/i386/openssh-server-
>3.4p1-5.i386.rpm
>> 7b1cf7bfc16af8675fef75f1c82825ca 9/en/os/SRPMS/openssh-3.5p1-9.src.rpm
>> 42127cbc814679cefd1db11265eb2ded 9/en/os/i386/openssh-3.5p1-9.i386.rpm
>> 301a68bc432e7ac55f847edbb30b4741 9/en/os/i386/openssh-askpass-
>3.5p1-9.i386.rpm
>> baeb84c227233c05d5b6e9e3bc1bdd3d 9/en/os/i386/openssh-askpass-
>gnome-3.5p1-9.i386.rpm
>> 78188bca46a3ccbba67d1040f42e3c07 9/en/os/i386/openssh-clients-
>3.5p1-9.i386.rpm
>> 2233bfd17074fd127dac4f47b57e905c 9/en/os/i386/openssh-server-3.5p1-

>9.i386.rpm
>> 
>> 
>> These packages are GPG signed by Red Hat for security.  Our key
>is
>> available from https://www.redhat.com/security/keys.html
>> 
>> You can verify each package with the following command:
>>     
>>     rpm --checksig -v <filename>
>> 
>> If you only wish to verify that each package has not been corrupted
>or
>> tampered with, examine only the md5sum with the following command:
>>     
>>     md5sum <filename>
>> 
>> 
>> 7. References:
>> 
>> http://marc.theaimsgroup.com/?l=openbsd-misc&m=106371592604940
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693
>> 
>> 8. Contact:
>> 
>> The Red Hat security contact is <secalert@...hat.com>.  More contact
>> details at https://www.redhat.com/solutions/security/news/contact.html
>> 
>> Copyright 2003 Red Hat, Inc.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.0.7 (GNU/Linux)
>> 
>> iD8DBQE/Z06fXlSAg2UNWIIRAjxnAJ9aO/FjfvTrpAJSHTT3XDTvZj3/zwCgkKLt
>> kgDsuTIKPlAf1EIS42Rg4Bo=
>> =NzeI
>> -----END PGP SIGNATURE-----
>
>-- 
>Dave McKay
>dave@...org
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>


Powered by blists - more mailing lists