lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-id: <E1Jeh3F-0004S2-6Z@artemis.annvix.ca>
Date: Wed, 26 Mar 2008 19:37:09 -0600
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2008:078 ] - Updated openssh packages fix
 X connection hijacking


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDVSA-2008:078
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : openssh
 Date    : March 26, 2008
 Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 OpenSSH allows local users to hijack forwarded X connections by causing
 ssh to set DISPLAY to :10, even when another process is listening on
 the associated port.
 
 The updated packages have been patched to prevent this issue.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 1cdb7c7b2ef0e3a98ed969c4cc176c37  2007.0/i586/openssh-4.5p1-0.3mdv2007.0.i586.rpm
 0fe8702c067054b0c375bbad1efa2b30  2007.0/i586/openssh-askpass-4.5p1-0.3mdv2007.0.i586.rpm
 134caea38014a9c13e3b05b6377a4b22  2007.0/i586/openssh-askpass-common-4.5p1-0.3mdv2007.0.i586.rpm
 ea641b9578d27f562a1d688d8694448f  2007.0/i586/openssh-askpass-gnome-4.5p1-0.3mdv2007.0.i586.rpm
 4e163bf66feedeaa93d640190c64273a  2007.0/i586/openssh-clients-4.5p1-0.3mdv2007.0.i586.rpm
 4c1619ecbf0f927a4cc13cde8ad4e905  2007.0/i586/openssh-server-4.5p1-0.3mdv2007.0.i586.rpm 
 aa30bb74824eb2fe90133c7d07c8dab9  2007.0/SRPMS/openssh-4.5p1-0.3mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 553a1d1a68afb3e6dd2cc92650810e6b  2007.0/x86_64/openssh-4.5p1-0.3mdv2007.0.x86_64.rpm
 b4ecf9307bb4262b39462e333062bbfa  2007.0/x86_64/openssh-askpass-4.5p1-0.3mdv2007.0.x86_64.rpm
 7b8f442b651db9093c2984ce181eecdb  2007.0/x86_64/openssh-askpass-common-4.5p1-0.3mdv2007.0.x86_64.rpm
 3ce5a4a378f8066896cd7ca573adc91b  2007.0/x86_64/openssh-askpass-gnome-4.5p1-0.3mdv2007.0.x86_64.rpm
 266dedc3bd7ced35c23a90fa68c66863  2007.0/x86_64/openssh-clients-4.5p1-0.3mdv2007.0.x86_64.rpm
 80565ee42635497514dd55a038e19111  2007.0/x86_64/openssh-server-4.5p1-0.3mdv2007.0.x86_64.rpm 
 aa30bb74824eb2fe90133c7d07c8dab9  2007.0/SRPMS/openssh-4.5p1-0.3mdv2007.0.src.rpm

 Mandriva Linux 2007.1:
 2cce377c3c1ed3ab206c3d7422ec3acb  2007.1/i586/openssh-4.6p1-1.2mdv2007.1.i586.rpm
 b5ee72f9edd2b85fd63447e678af5cb6  2007.1/i586/openssh-askpass-4.6p1-1.2mdv2007.1.i586.rpm
 d987a90109da19e121c8d5699ea451df  2007.1/i586/openssh-askpass-common-4.6p1-1.2mdv2007.1.i586.rpm
 02d2e8e07a1aaa07c1379fd8b451daac  2007.1/i586/openssh-askpass-gnome-4.6p1-1.2mdv2007.1.i586.rpm
 b4162da613394bdd7c53b0469d59092a  2007.1/i586/openssh-clients-4.6p1-1.2mdv2007.1.i586.rpm
 53f970e4c4d8630ce06017e74b4a8117  2007.1/i586/openssh-server-4.6p1-1.2mdv2007.1.i586.rpm 
 0e9a0fae3361d887239b02f56f966e70  2007.1/SRPMS/openssh-4.6p1-1.2mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 c68c6170ec716ec6eb9748ae3b9966de  2007.1/x86_64/openssh-4.6p1-1.2mdv2007.1.x86_64.rpm
 533976030cc8915c2524744189d36252  2007.1/x86_64/openssh-askpass-4.6p1-1.2mdv2007.1.x86_64.rpm
 76969355a7adf93a742761a30e0e9f30  2007.1/x86_64/openssh-askpass-common-4.6p1-1.2mdv2007.1.x86_64.rpm
 54cf4b7fadbbb52b241b38ad8298c75b  2007.1/x86_64/openssh-askpass-gnome-4.6p1-1.2mdv2007.1.x86_64.rpm
 560bd1f969a341204ed65e0b4ec974e2  2007.1/x86_64/openssh-clients-4.6p1-1.2mdv2007.1.x86_64.rpm
 cc5df054e5ee3e26cb40708ea7d20f1b  2007.1/x86_64/openssh-server-4.6p1-1.2mdv2007.1.x86_64.rpm 
 0e9a0fae3361d887239b02f56f966e70  2007.1/SRPMS/openssh-4.6p1-1.2mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 2111c70d431c328c7077ffadf1ff1611  2008.0/i586/openssh-4.7p1-2.2mdv2008.0.i586.rpm
 abd7791007806997f15568f4bf5ad480  2008.0/i586/openssh-askpass-4.7p1-2.2mdv2008.0.i586.rpm
 f2d471277db50b95888b3685c65786dc  2008.0/i586/openssh-askpass-common-4.7p1-2.2mdv2008.0.i586.rpm
 fa556ac82136323f2d7bce7bc2ebdc4d  2008.0/i586/openssh-askpass-gnome-4.7p1-2.2mdv2008.0.i586.rpm
 9390b79a551600c984f568c4a61e0c36  2008.0/i586/openssh-clients-4.7p1-2.2mdv2008.0.i586.rpm
 7d19398174cd1b98811720e4ac2bb6ea  2008.0/i586/openssh-server-4.7p1-2.2mdv2008.0.i586.rpm 
 a4a38dc3d02ada40d15c3c82a8714431  2008.0/SRPMS/openssh-4.7p1-2.2mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 ce637761cdca3a2885d71008d68ad5ce  2008.0/x86_64/openssh-4.7p1-2.2mdv2008.0.x86_64.rpm
 dd96178f7bbafc7fa4c6165f027424f7  2008.0/x86_64/openssh-askpass-4.7p1-2.2mdv2008.0.x86_64.rpm
 e59c6e5cf414167b934b556b2b733182  2008.0/x86_64/openssh-askpass-common-4.7p1-2.2mdv2008.0.x86_64.rpm
 c06a24dbbfcc82b820641e1f6215cf7e  2008.0/x86_64/openssh-askpass-gnome-4.7p1-2.2mdv2008.0.x86_64.rpm
 b1612dfbc98eba2d2395c8275080b3b6  2008.0/x86_64/openssh-clients-4.7p1-2.2mdv2008.0.x86_64.rpm
 8b36887467cb04a1c6549a7a89d24d5d  2008.0/x86_64/openssh-server-4.7p1-2.2mdv2008.0.x86_64.rpm 
 a4a38dc3d02ada40d15c3c82a8714431  2008.0/SRPMS/openssh-4.7p1-2.2mdv2008.0.src.rpm

 Corporate 3.0:
 bd39164a0885b1048a1bad7ee36e4b5c  corporate/3.0/i586/openssh-4.3p1-0.5.C30mdk.i586.rpm
 28d40b0131d01224e8302b09b701c241  corporate/3.0/i586/openssh-askpass-4.3p1-0.5.C30mdk.i586.rpm
 b0ecd0e810a3688e8c325e2e9490ac19  corporate/3.0/i586/openssh-askpass-gnome-4.3p1-0.5.C30mdk.i586.rpm
 73f0a5ed87d85459542d0daf91afc342  corporate/3.0/i586/openssh-clients-4.3p1-0.5.C30mdk.i586.rpm
 7598a2dcef9d65274ceef4b05daf6f6c  corporate/3.0/i586/openssh-server-4.3p1-0.5.C30mdk.i586.rpm 
 47a7c143a1f59df502d679fad706407b  corporate/3.0/SRPMS/openssh-4.3p1-0.5.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 9741d292d7ab4e9897144b2e9e241028  corporate/3.0/x86_64/openssh-4.3p1-0.5.C30mdk.x86_64.rpm
 acfadda7a360c60928ff3cbc0396b286  corporate/3.0/x86_64/openssh-askpass-4.3p1-0.5.C30mdk.x86_64.rpm
 a40bfc1509425d8d4873f09ba4655a6f  corporate/3.0/x86_64/openssh-askpass-gnome-4.3p1-0.5.C30mdk.x86_64.rpm
 2045a78a038012bdf8d3f008dd929848  corporate/3.0/x86_64/openssh-clients-4.3p1-0.5.C30mdk.x86_64.rpm
 63f2dd8d94e1386a0dd40584cdb331ec  corporate/3.0/x86_64/openssh-server-4.3p1-0.5.C30mdk.x86_64.rpm 
 47a7c143a1f59df502d679fad706407b  corporate/3.0/SRPMS/openssh-4.3p1-0.5.C30mdk.src.rpm

 Corporate 4.0:
 90a82a41e96edc3a906415fd8752d4ae  corporate/4.0/i586/openssh-4.3p1-0.6.20060mlcs4.i586.rpm
 ccc5e86dd030d38ea68e20fc94f2f09d  corporate/4.0/i586/openssh-askpass-4.3p1-0.6.20060mlcs4.i586.rpm
 98f6b7de70978476bc88649dd1d7aee5  corporate/4.0/i586/openssh-askpass-gnome-4.3p1-0.6.20060mlcs4.i586.rpm
 e9ccaf3b3f2da24a319f0a8486bba6a6  corporate/4.0/i586/openssh-clients-4.3p1-0.6.20060mlcs4.i586.rpm
 2a21febb787249e6640326faf776a47b  corporate/4.0/i586/openssh-server-4.3p1-0.6.20060mlcs4.i586.rpm 
 3c9380388adfa5ce11c469aba798fa50  corporate/4.0/SRPMS/openssh-4.3p1-0.6.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 75c4138df03cb7338e4f0fd00b11d089  corporate/4.0/x86_64/openssh-4.3p1-0.6.20060mlcs4.x86_64.rpm
 ee15ff755b409b38d0ef5565d33f46a3  corporate/4.0/x86_64/openssh-askpass-4.3p1-0.6.20060mlcs4.x86_64.rpm
 4fefe00577fc32dfc1b998dbf938086f  corporate/4.0/x86_64/openssh-askpass-gnome-4.3p1-0.6.20060mlcs4.x86_64.rpm
 ae087298d947fa6042f9b0bb6ca4eb47  corporate/4.0/x86_64/openssh-clients-4.3p1-0.6.20060mlcs4.x86_64.rpm
 eac093e98f64783eeefc12a4db6ec2c2  corporate/4.0/x86_64/openssh-server-4.3p1-0.6.20060mlcs4.x86_64.rpm 
 3c9380388adfa5ce11c469aba798fa50  corporate/4.0/SRPMS/openssh-4.3p1-0.6.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 64edf29914476e979c84adc5126d146b  mnf/2.0/i586/openssh-4.3p1-0.5.M20mdk.i586.rpm
 3852bab5554701da9d449c4a3be4c63b  mnf/2.0/i586/openssh-askpass-4.3p1-0.5.M20mdk.i586.rpm
 3b2d30fbfd949cc0cb8854cc372eb0c1  mnf/2.0/i586/openssh-askpass-gnome-4.3p1-0.5.M20mdk.i586.rpm
 1023e4044888cd2c60840328a0a94eb4  mnf/2.0/i586/openssh-clients-4.3p1-0.5.M20mdk.i586.rpm
 6a9319816793ec07b1874c880599c316  mnf/2.0/i586/openssh-server-4.3p1-0.5.M20mdk.i586.rpm 
 3e888dc4c4879fcb9d834bac1b789405  mnf/2.0/SRPMS/openssh-4.3p1-0.5.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)

iD8DBQFH6s6BmqjQ0CJFipgRAv/DAKCChRGxX5CS6Shhn5MiT5mvechPmgCeNbMJ
a02Qog6Gy/e/vPp21tMQDbM=
=pdXy
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ