lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 8 Nov 2006 17:08:33 +0100
From: OpenPKG <openpkg@...npkg.org>
To: bugtraq@...urityfocus.com
Subject: [OpenPKG-SA-2006.032] OpenPKG Security Advisory (openssh)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                                   OpenPKG GmbH
http://openpkg.org/security/                          http://openpkg.com
OpenPKG-SA-2006.032                                           2006-11-08
________________________________________________________________________

Package:          openssh
Vulnerability:    security bypass
OpenPKG Specific: no

Affected Series:  Affected Packages:          Corrected Packages:
E1.0-SOLID        <= openssh-4.4p1-E1.0.0     >= openssh-4.4p1-E1.0.1
2-STABLE-20061018 <= openssh-4.4p1-2.20061024 >= openssh-4.5p1-2.20061108
2-STABLE          <= openssh-4.4p1-2.20061024 >= openssh-4.5p1-2.20061108
CURRENT           <= openssh-4.4p1-20061104   >= openssh-4.5p1-20061108

Description:
  According to a vendor release announcement [0], a vulnerability
  exists in the privilege separation functionality of the Secure
  Shell (SSH) implementation OpenSSH [1]. The vulnerability is
  caused by an incorrect checking for bad signatures in the sshd(8)
  privilege separation monitor and this way its verification of
  successful authentication is weakened. As a result the monitor and the
  unprivileged process can get out of sync. According to the vendor,
  this bug is not known to be exploitable in the absence of additional
  vulnerabilities. Additionally, OpenPKG's OpenSSH configuration for
  portability reasons has the "privilege separation" functionality not
  enabled by default.
________________________________________________________________________

References:
  [0] http://www.openssh.com/txt/release-4.5
  [1] http://www.openssh.com/
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@...npkg.org>" (ID 63C4CB9F) which
you can retrieve from http://openpkg.org/openpkg.org.pgp. Follow the
instructions on http://openpkg.org/security/signatures/ for details on
how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@...npkg.org>

iD8DBQFFUgDpgHWT4GPEy58RAjDDAJ9CdwrWxMqq6eOOADtJxYyzoKjYKwCgzj9p
XIG+pGSPEjmf+yyFqu/A+Qk=
=w+L+
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ