| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200309162108.h8GL8m6a051077@mailserver1.hushmail.com> From: kernelclue at hushmail.com (kernelclue@...hmail.com) Subject: Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability OpenSSH runs on a number of platforms, Windows included. To say this reflects on GNU/Linux or any Linux distro is just nonsense. On Tue, 16 Sep 2003 11:29:30 -0700 Dave Monk <dave@...maneater.com> wrote: >Recent security advisories featuring the operating system known as >'GNU/Linux' (formerly minix) has had a negative effect on the >listserv. > >The problem stems from the polymorphic, virus-like phenomenon also >known as the 'Linux distro', the Linux distro allows any single >permutation of a base Linux install (such as location of the mail >spool) to actually qualify and require an entire new operating >system distribution. At this point in time there are over 50 >distros out there. > >The cascade failure effect is that the minute a hole or flaw in >a >base Linux subsystem such as the kernel or system tools immediately >causes a flood of 'vendor' emails sent to bugtraq describing each >way to disable/upgrade the broken feature on their OS. > >The effect is that the 'signal to stupid-linux-bug ratio' on the >lists gets completely out of whack thereby diluting the utility >of the list. > >Solutions: > > None. (how do you expect to stop a tidal wave of suicidal VC money?) > >Workarounds: > >1) All advisories should be filtered through RMS, which would achieve > the desired effect of delaying their posting indefinitely. >2) All such advisories should be prefixed by '[YASLB]' in the subject >line > (yet another stupid linux bug) so I can filter this stupid crap. > >thanks, >everyone > > >bugzilla@...hat.com (bugzilla@...hat.com) wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> - ------------------------------------------------------------ >--------- >> Red Hat Security Advisory >> >> Synopsis: Updated OpenSSH packages fix potential vulnerability >> Advisory ID: RHSA-2003:279-01 >> Issue date: 2003-09-16 >> Updated on: 2003-09-16 >> Product: Red Hat Linux >> Keywords: >> Cross references: >> Obsoletes: RHSA-2003:222 >> CVE Names: CAN-2003-0693 >> - ------------------------------------------------------------ >--------- >> >> 1. Topic: >> >> Updated OpenSSH packages are now available that fix a bug that >may be >> remotely exploitable. >> >> 2. Relevant releases/architectures: >> >> Red Hat Linux 7.1 - i386 >> Red Hat Linux 7.2 - i386, ia64 >> Red Hat Linux 7.3 - i386 >> Red Hat Linux 8.0 - i386 >> Red Hat Linux 9 - i386 >> >> 3. Problem description: >> >> OpenSSH is a suite of network connectivity tools that can be used >to >> establish encrypted connections between systems on a network and >can >> provide interactive login sessions and port forwarding, among >other functions. >> >> The OpenSSH team has announced a bug which affects the OpenSSH >buffer >> handling code. This bug has the potential of being remotely exploitable. >> >> All users of OpenSSH should immediately apply this update which >contains a >> backported fix for this issue. >> >> 4. Solution: >> >> Before applying this update, make sure all previously released >errata >> relevant to your system have been applied. >> >> To update all RPMs for your particular architecture, run: >> >> rpm -Fvh [filenames] >> >> where [filenames] is a list of the RPMs you wish to upgrade. >Only those >> RPMs which are currently installed will be updated. Those RPMs >which are >> not installed but included in the list will not be updated. Note >that you >> can also use wildcards (*.rpm) if your current directory *only* >contains the >> desired RPMs. >> >> Please note that this update is also available via Red Hat Network. > Many >> people find this an easier way to apply updates. To use Red Hat >Network, >> launch the Red Hat Update Agent with the following command: >> >> up2date >> >> This will start an interactive process that will result in the >appropriate >> RPMs being upgraded on your system. >> >> If up2date fails to connect to Red Hat Network due to SSL Certificate >> >> Errors, you need to install a version of the up2date client with >an updated >> certificate. The latest version of up2date is available from >the Red Hat >> FTP site and may also be downloaded directly from the RHN website: >> >> https://rhn.redhat.com/help/latest-up2date.pxt >> >> 5. RPMs required: >> >> Red Hat Linux 7.1: >> >> SRPMS: >> ftp://updates.redhat.com/7.1/en/os/SRPMS/openssh-3.1p1-9.src.rpm >> >> i386: >> ftp://updates.redhat.com/7.1/en/os/i386/openssh-3.1p1-9.i386.rpm >> ftp://updates.redhat.com/7.1/en/os/i386/openssh-clients-3.1p1- >9.i386.rpm >> ftp://updates.redhat.com/7.1/en/os/i386/openssh-server-3.1p1-9.i386.rpm >> ftp://updates.redhat.com/7.1/en/os/i386/openssh-askpass-3.1p1- >9.i386.rpm >> ftp://updates.redhat.com/7.1/en/os/i386/openssh-askpass-gnome- >3.1p1-9.i386.rpm >> >> Red Hat Linux 7.2: >> >> SRPMS: >> ftp://updates.redhat.com/7.2/en/os/SRPMS/openssh-3.1p1-10.src.rpm >> >> i386: >> ftp://updates.redhat.com/7.2/en/os/i386/openssh-3.1p1-10.i386.rpm >> ftp://updates.redhat.com/7.2/en/os/i386/openssh-clients-3.1p1- >10.i386.rpm >> ftp://updates.redhat.com/7.2/en/os/i386/openssh-server-3.1p1-10.i386.rpm >> ftp://updates.redhat.com/7.2/en/os/i386/openssh-askpass-3.1p1- >10.i386.rpm >> ftp://updates.redhat.com/7.2/en/os/i386/openssh-askpass-gnome- >3.1p1-10.i386.rpm >> >> ia64: >> ftp://updates.redhat.com/7.2/en/os/ia64/openssh-3.1p1-10.ia64.rpm >> ftp://updates.redhat.com/7.2/en/os/ia64/openssh-clients-3.1p1- >10.ia64.rpm >> ftp://updates.redhat.com/7.2/en/os/ia64/openssh-server-3.1p1-10.ia64.rpm >> ftp://updates.redhat.com/7.2/en/os/ia64/openssh-askpass-3.1p1- >10.ia64.rpm >> ftp://updates.redhat.com/7.2/en/os/ia64/openssh-askpass-gnome- >3.1p1-10.ia64.rpm >> >> Red Hat Linux 7.3: >> >> SRPMS: >> ftp://updates.redhat.com/7.3/en/os/SRPMS/openssh-3.1p1-10.src.rpm >> >> i386: >> ftp://updates.redhat.com/7.3/en/os/i386/openssh-3.1p1-10.i386.rpm >> ftp://updates.redhat.com/7.3/en/os/i386/openssh-clients-3.1p1- >10.i386.rpm >> ftp://updates.redhat.com/7.3/en/os/i386/openssh-server-3.1p1-10.i386.rpm >> ftp://updates.redhat.com/7.3/en/os/i386/openssh-askpass-3.1p1- >10.i386.rpm >> ftp://updates.redhat.com/7.3/en/os/i386/openssh-askpass-gnome- >3.1p1-10.i386.rpm >> >> Red Hat Linux 8.0: >> >> SRPMS: >> ftp://updates.redhat.com/8.0/en/os/SRPMS/openssh-3.4p1-5.src.rpm >> >> i386: >> ftp://updates.redhat.com/8.0/en/os/i386/openssh-3.4p1-5.i386.rpm >> ftp://updates.redhat.com/8.0/en/os/i386/openssh-clients-3.4p1- >5.i386.rpm >> ftp://updates.redhat.com/8.0/en/os/i386/openssh-server-3.4p1-5.i386.rpm >> ftp://updates.redhat.com/8.0/en/os/i386/openssh-askpass-3.4p1- >5.i386.rpm >> ftp://updates.redhat.com/8.0/en/os/i386/openssh-askpass-gnome- >3.4p1-5.i386.rpm >> >> Red Hat Linux 9: >> >> SRPMS: >> ftp://updates.redhat.com/9/en/os/SRPMS/openssh-3.5p1-9.src.rpm >> >> i386: >> ftp://updates.redhat.com/9/en/os/i386/openssh-3.5p1-9.i386.rpm >> ftp://updates.redhat.com/9/en/os/i386/openssh-clients-3.5p1-9.i386.rpm >> ftp://updates.redhat.com/9/en/os/i386/openssh-server-3.5p1-9.i386.rpm >> ftp://updates.redhat.com/9/en/os/i386/openssh-askpass-3.5p1-9.i386.rpm >> ftp://updates.redhat.com/9/en/os/i386/openssh-askpass-gnome-3.5p1- >9.i386.rpm >> >> >> >> 6. Verification: >> >> MD5 sum Package Name >> - ------------------------------------------------------------ >-------------- >> 68c4a788b259ac5d80696344a1635238 7.1/en/os/SRPMS/openssh-3.1p1- >9.src.rpm >> 2cb116a25b5d3f2ae0290c2b02eb822a 7.1/en/os/i386/openssh-3.1p1- >9.i386.rpm >> 8871705678463c84f5bac0d7e314c51d 7.1/en/os/i386/openssh-askpass- >3.1p1-9.i386.rpm >> d40669604c1003d5fa56a0fe8f5f259f 7.1/en/os/i386/openssh-askpass- >gnome-3.1p1-9.i386.rpm >> ad58192a0988ae2ba28303892344dc15 7.1/en/os/i386/openssh-clients- >3.1p1-9.i386.rpm >> 275ab4661dfef3d2331a044723728ba8 7.1/en/os/i386/openssh-server- >3.1p1-9.i386.rpm >> 8a643b9a1c2081510494bcfe81d704da 7.2/en/os/SRPMS/openssh-3.1p1- >10.src.rpm >> 41d575bf0e8740dea7be6f228cd49a06 7.2/en/os/i386/openssh-3.1p1- >10.i386.rpm >> 4b768a29889a977e780f40829767f139 7.2/en/os/i386/openssh-askpass- >3.1p1-10.i386.rpm >> c6ade41287005e1bc3e773d489571b2f 7.2/en/os/i386/openssh-askpass- >gnome-3.1p1-10.i386.rpm >> ac2a157d5527b94629b393709dafee88 7.2/en/os/i386/openssh-clients- >3.1p1-10.i386.rpm >> dfd86218d209c998c1f5877470e08ee3 7.2/en/os/i386/openssh-server- >3.1p1-10.i386.rpm >> 35ed02df36d62ae2ae388bdb1a2fde8b 7.2/en/os/ia64/openssh-3.1p1- >10.ia64.rpm >> 00efc09f44de8e8757ed002b1c8f33d1 7.2/en/os/ia64/openssh-askpass- >3.1p1-10.ia64.rpm >> 0a08a3bf5bdd95fb718c9f588aeb19a5 7.2/en/os/ia64/openssh-askpass- >gnome-3.1p1-10.ia64.rpm >> ad1d2c29d579622abeb9aaddc3ba2205 7.2/en/os/ia64/openssh-clients- >3.1p1-10.ia64.rpm >> baa9c271eea7d6d3d49fc14d4cc6cd20 7.2/en/os/ia64/openssh-server- >3.1p1-10.ia64.rpm >> 8a643b9a1c2081510494bcfe81d704da 7.3/en/os/SRPMS/openssh-3.1p1- >10.src.rpm >> 41d575bf0e8740dea7be6f228cd49a06 7.3/en/os/i386/openssh-3.1p1- >10.i386.rpm >> 4b768a29889a977e780f40829767f139 7.3/en/os/i386/openssh-askpass- >3.1p1-10.i386.rpm >> c6ade41287005e1bc3e773d489571b2f 7.3/en/os/i386/openssh-askpass- >gnome-3.1p1-10.i386.rpm >> ac2a157d5527b94629b393709dafee88 7.3/en/os/i386/openssh-clients- >3.1p1-10.i386.rpm >> dfd86218d209c998c1f5877470e08ee3 7.3/en/os/i386/openssh-server- >3.1p1-10.i386.rpm >> 9b0e321ba85cb0d0d92aa8d2215b660b 8.0/en/os/SRPMS/openssh-3.4p1- >5.src.rpm >> 98eec1cabf75d33b4dab5cbcc1fa3916 8.0/en/os/i386/openssh-3.4p1- >5.i386.rpm >> 40a5f106abe732b2de667d8eea533bfb 8.0/en/os/i386/openssh-askpass- >3.4p1-5.i386.rpm >> 2d7066401fdffdc33d8432c5a6e15bf2 8.0/en/os/i386/openssh-askpass- >gnome-3.4p1-5.i386.rpm >> 437bf2bd207673ce3ab9632e6c862972 8.0/en/os/i386/openssh-clients- >3.4p1-5.i386.rpm >> b1d6e055c373770fac486b1c32b1110b 8.0/en/os/i386/openssh-server- >3.4p1-5.i386.rpm >> 7b1cf7bfc16af8675fef75f1c82825ca 9/en/os/SRPMS/openssh-3.5p1-9.src.rpm >> 42127cbc814679cefd1db11265eb2ded 9/en/os/i386/openssh-3.5p1-9.i386.rpm >> 301a68bc432e7ac55f847edbb30b4741 9/en/os/i386/openssh-askpass- >3.5p1-9.i386.rpm >> baeb84c227233c05d5b6e9e3bc1bdd3d 9/en/os/i386/openssh-askpass- >gnome-3.5p1-9.i386.rpm >> 78188bca46a3ccbba67d1040f42e3c07 9/en/os/i386/openssh-clients- >3.5p1-9.i386.rpm >> 2233bfd17074fd127dac4f47b57e905c 9/en/os/i386/openssh-server-3.5p1- >9.i386.rpm >> >> >> These packages are GPG signed by Red Hat for security. Our key >is >> available from https://www.redhat.com/security/keys.html >> >> You can verify each package with the following command: >> >> rpm --checksig -v <filename> >> >> If you only wish to verify that each package has not been corrupted >or >> tampered with, examine only the md5sum with the following command: >> >> md5sum <filename> >> >> >> 7. References: >> >> http://marc.theaimsgroup.com/?l=openbsd-misc&m=106371592604940 >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693 >> >> 8. Contact: >> >> The Red Hat security contact is <secalert@...hat.com>. More contact >> details at https://www.redhat.com/solutions/security/news/contact.html >> >> Copyright 2003 Red Hat, Inc. >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.0.7 (GNU/Linux) >> >> iD8DBQE/Z06fXlSAg2UNWIIRAjxnAJ9aO/FjfvTrpAJSHTT3XDTvZj3/zwCgkKLt >> kgDsuTIKPlAf1EIS42Rg4Bo= >> =NzeI >> -----END PGP SIGNATURE----- > >-- >Dave McKay >dave@...org > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html > >
Powered by blists - more mailing lists