[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20061002134049.GA4662@piware.de>
Date: Mon, 2 Oct 2006 15:40:49 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-355-1] openssh vulnerabilities
===========================================================
Ubuntu Security Notice USN-355-1 October 02, 2006
openssh vulnerabilities
CVE-2006-4924, CVE-2006-5051
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 5.04
Ubuntu 5.10
Ubuntu 6.06 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 5.04:
openssh-server 1:3.9p1-1ubuntu2.3
Ubuntu 5.10:
openssh-server 1:4.1p1-7ubuntu4.2
Ubuntu 6.06 LTS:
openssh-server 1:4.2p1-7ubuntu3.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Tavis Ormandy discovered that the SSH daemon did not properly handle
authentication packets with duplicated blocks. By sending specially
crafted packets, a remote attacker could exploit this to cause the ssh
daemon to drain all available CPU resources until the login grace time
expired. (CVE-2006-4924)
Mark Dowd discovered a race condition in the server's signal handling.
A remote attacker could exploit this to crash the server.
(CVE-2006-5051)
Updated packages for Ubuntu 5.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.3.diff.gz
Size/MD5: 143243 ee5b491cf023e53b4991fe319da669aa
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.3.dsc
Size/MD5: 866 237dcc91dde3201ba0bc5b9372654708
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1.orig.tar.gz
Size/MD5: 832804 530b1dcbfe7a4a4ce4959c0775b85a5a
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_3.9p1-1ubuntu2.3_all.deb
Size/MD5: 31312 a25012353606283dbae09b56dc60f1bb
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.3_amd64.udeb
Size/MD5: 166846 b0507203d786efa365cef305acc0b790
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.3_amd64.deb
Size/MD5: 544562 4464ce148432194666a3fd7fae5b884f
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.3_amd64.udeb
Size/MD5: 179290 2774b437173889390312fab14a0d9edf
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.3_amd64.deb
Size/MD5: 279624 deb54b320447ab79b8d8fb351c04960d
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.3_amd64.deb
Size/MD5: 62924 083fd0c899ed8c0c088f6f659d2fd017
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.3_i386.udeb
Size/MD5: 139452 31deaca18b94b27d52c1870d86810db4
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.3_i386.deb
Size/MD5: 492810 8df816ca89945adc93e80d49f53aebe6
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.3_i386.udeb
Size/MD5: 149160 632d59e71b6a3f5aab50e4cfd3842442
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.3_i386.deb
Size/MD5: 256218 5f9791afb335d57cd1a830c1e886ee08
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.3_i386.deb
Size/MD5: 62512 9f21ce3a1134980ec47c1e99cf62ff61
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.3_powerpc.udeb
Size/MD5: 159886 447da8535b3b4c0b85fefd44e01f4c4d
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.3_powerpc.deb
Size/MD5: 541254 8d16c7e18fef84ab8f6a435c8c988b93
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.3_powerpc.udeb
Size/MD5: 163428 e0ca6e79f907c35e2c32e515b8e808dd
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.3_powerpc.deb
Size/MD5: 273640 c8e00fcbe413ac902ccc4dca508572f2
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.3_powerpc.deb
Size/MD5: 64092 a88a46209fac664959c35b36fb93066e
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1-7ubuntu4.2.diff.gz
Size/MD5: 158624 fc0f2620cc3fc07ad4ea050b675e5f1b
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1-7ubuntu4.2.dsc
Size/MD5: 971 cd61da4d0742c684aaf90b8390252818
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1.orig.tar.gz
Size/MD5: 909689 3709109adf0b82176668b3d3478dd033
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.1p1-7ubuntu4.2_all.deb
Size/MD5: 1050 d520acb54639c9b900b973c08e1a5fe8
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.2_amd64.udeb
Size/MD5: 162614 0e4e07c663d0f33f3fd73a0b6c2e433a
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.2_amd64.deb
Size/MD5: 584852 bb1ac6382aa349a7bea3cccf0948117e
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.2_amd64.udeb
Size/MD5: 179490 a1bccf78a412d6799d25f0ca73ab4623
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.2_amd64.deb
Size/MD5: 223914 ec3d782f9c3b88c97cea3b928e458fea
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.2_amd64.deb
Size/MD5: 78228 02951ff37cc638222a067c77b808523d
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.2_i386.udeb
Size/MD5: 138272 3a49a90c6f6f9f52c775aeecb05caf76
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.2_i386.deb
Size/MD5: 515080 0100950f90ddd99704be28b2c9ff8478
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.2_i386.udeb
Size/MD5: 149782 c89f7310123da769a7eec86d6ba72a6a
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.2_i386.deb
Size/MD5: 195292 7cf57e81b03dce633eb56bdc44655c89
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.2_i386.deb
Size/MD5: 77944 15d8e58dd24c85d380432bc3b7a633c7
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.2_powerpc.udeb
Size/MD5: 155858 f4f64f9b3de12bfc043661e8e31d090c
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.2_powerpc.deb
Size/MD5: 569144 baabd24742192f1df2ceb5220d540937
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.2_powerpc.udeb
Size/MD5: 163322 42064b77c600c04ba5441876830a772d
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.2_powerpc.deb
Size/MD5: 215386 c4360aa642d117f539ff2d1082ae705b
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.2_powerpc.deb
Size/MD5: 79512 e25ff733bd60854f7a42cfa0c636eb7d
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.2_sparc.udeb
Size/MD5: 147902 13d070c8101686ef53e062c136d609be
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.2_sparc.deb
Size/MD5: 524974 c67b3c3cd75b37b9e10d03033e657c7c
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.2_sparc.udeb
Size/MD5: 158836 a425ab0c6cbc9ae5dd09a4880a36e374
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.2_sparc.deb
Size/MD5: 199192 85892b06e6780bba357d9c68ff36e0fd
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.2_sparc.deb
Size/MD5: 77982 ab47361323b0a7686fe4fad3639df44d
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1-7ubuntu3.1.diff.gz
Size/MD5: 171326 3d966ce050b176961a34c8f14148ef18
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1-7ubuntu3.1.dsc
Size/MD5: 1005 acf698bd9a5e848b80343a49b3ab5f5b
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1.orig.tar.gz
Size/MD5: 928420 93295701e6bcd76fabd6a271654ed15c
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.2p1-7ubuntu3.1_all.deb
Size/MD5: 1056 ff5c9e1bc32aac160738d603fb3c9015
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.1_amd64.udeb
Size/MD5: 165846 e483c01679c325ac0edeb5981cdba060
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.1_amd64.deb
Size/MD5: 610616 5a5b73f2d68a90385b2dd70c539cfb4a
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.1_amd64.udeb
Size/MD5: 182038 bc2c80a21f2afde523a17e311233ebc5
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.1_amd64.deb
Size/MD5: 236212 90663453b5c114622627469f4ffd822a
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.1_amd64.deb
Size/MD5: 86868 12bbd3d97943ce3751a3186494c31798
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.1_i386.udeb
Size/MD5: 140068 8873836c923eb3205df376916b0c3669
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.1_i386.deb
Size/MD5: 536704 801dcb0f46badf9ff4376a4484663b00
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.1_i386.udeb
Size/MD5: 151544 28e22a72700630c00231c843662ed755
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.1_i386.deb
Size/MD5: 205490 7e5acb93eb0243e1272f1ffed0145112
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.1_i386.deb
Size/MD5: 86476 091d1ca0ef964b1cbc714cb050ef558d
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.1_powerpc.udeb
Size/MD5: 158524 ae42600aed557c45556394035eacd10a
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.1_powerpc.deb
Size/MD5: 593628 29d5510f526ddfa16a138b1d61c1cc75
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.1_powerpc.udeb
Size/MD5: 165942 d5d1c6333c9406b1bf623b4db1c8824a
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.1_powerpc.deb
Size/MD5: 226264 166b3da3dd64758a38f7731dc0c16703
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.1_powerpc.deb
Size/MD5: 88152 2860a81b3d8d554f5356bab74573504b
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.1_sparc.udeb
Size/MD5: 149224 5f60da6926ed8b994cdc8dcf42b65088
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.1_sparc.deb
Size/MD5: 543560 c9003ef5e14236a26d3b3a7abb25db9f
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.1_sparc.udeb
Size/MD5: 160664 51e52151d74fd317648700234478e638
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.1_sparc.deb
Size/MD5: 208870 6833a77599010cfe464f54bf0290b516
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.1_sparc.deb
Size/MD5: 86516 8dac0a82e5edaabfac6f8596a84ff884
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists