[<prev] [next>] [day] [month] [year] [list]
Message-id: <E1Jeh3F-0004S2-6Z@artemis.annvix.ca>
Date: Wed, 26 Mar 2008 19:37:09 -0600
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2008:078 ] - Updated openssh packages fix
X connection hijacking
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2008:078
http://www.mandriva.com/security/
_______________________________________________________________________
Package : openssh
Date : March 26, 2008
Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0,
Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
OpenSSH allows local users to hijack forwarded X connections by causing
ssh to set DISPLAY to :10, even when another process is listening on
the associated port.
The updated packages have been patched to prevent this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2007.0:
1cdb7c7b2ef0e3a98ed969c4cc176c37 2007.0/i586/openssh-4.5p1-0.3mdv2007.0.i586.rpm
0fe8702c067054b0c375bbad1efa2b30 2007.0/i586/openssh-askpass-4.5p1-0.3mdv2007.0.i586.rpm
134caea38014a9c13e3b05b6377a4b22 2007.0/i586/openssh-askpass-common-4.5p1-0.3mdv2007.0.i586.rpm
ea641b9578d27f562a1d688d8694448f 2007.0/i586/openssh-askpass-gnome-4.5p1-0.3mdv2007.0.i586.rpm
4e163bf66feedeaa93d640190c64273a 2007.0/i586/openssh-clients-4.5p1-0.3mdv2007.0.i586.rpm
4c1619ecbf0f927a4cc13cde8ad4e905 2007.0/i586/openssh-server-4.5p1-0.3mdv2007.0.i586.rpm
aa30bb74824eb2fe90133c7d07c8dab9 2007.0/SRPMS/openssh-4.5p1-0.3mdv2007.0.src.rpm
Mandriva Linux 2007.0/X86_64:
553a1d1a68afb3e6dd2cc92650810e6b 2007.0/x86_64/openssh-4.5p1-0.3mdv2007.0.x86_64.rpm
b4ecf9307bb4262b39462e333062bbfa 2007.0/x86_64/openssh-askpass-4.5p1-0.3mdv2007.0.x86_64.rpm
7b8f442b651db9093c2984ce181eecdb 2007.0/x86_64/openssh-askpass-common-4.5p1-0.3mdv2007.0.x86_64.rpm
3ce5a4a378f8066896cd7ca573adc91b 2007.0/x86_64/openssh-askpass-gnome-4.5p1-0.3mdv2007.0.x86_64.rpm
266dedc3bd7ced35c23a90fa68c66863 2007.0/x86_64/openssh-clients-4.5p1-0.3mdv2007.0.x86_64.rpm
80565ee42635497514dd55a038e19111 2007.0/x86_64/openssh-server-4.5p1-0.3mdv2007.0.x86_64.rpm
aa30bb74824eb2fe90133c7d07c8dab9 2007.0/SRPMS/openssh-4.5p1-0.3mdv2007.0.src.rpm
Mandriva Linux 2007.1:
2cce377c3c1ed3ab206c3d7422ec3acb 2007.1/i586/openssh-4.6p1-1.2mdv2007.1.i586.rpm
b5ee72f9edd2b85fd63447e678af5cb6 2007.1/i586/openssh-askpass-4.6p1-1.2mdv2007.1.i586.rpm
d987a90109da19e121c8d5699ea451df 2007.1/i586/openssh-askpass-common-4.6p1-1.2mdv2007.1.i586.rpm
02d2e8e07a1aaa07c1379fd8b451daac 2007.1/i586/openssh-askpass-gnome-4.6p1-1.2mdv2007.1.i586.rpm
b4162da613394bdd7c53b0469d59092a 2007.1/i586/openssh-clients-4.6p1-1.2mdv2007.1.i586.rpm
53f970e4c4d8630ce06017e74b4a8117 2007.1/i586/openssh-server-4.6p1-1.2mdv2007.1.i586.rpm
0e9a0fae3361d887239b02f56f966e70 2007.1/SRPMS/openssh-4.6p1-1.2mdv2007.1.src.rpm
Mandriva Linux 2007.1/X86_64:
c68c6170ec716ec6eb9748ae3b9966de 2007.1/x86_64/openssh-4.6p1-1.2mdv2007.1.x86_64.rpm
533976030cc8915c2524744189d36252 2007.1/x86_64/openssh-askpass-4.6p1-1.2mdv2007.1.x86_64.rpm
76969355a7adf93a742761a30e0e9f30 2007.1/x86_64/openssh-askpass-common-4.6p1-1.2mdv2007.1.x86_64.rpm
54cf4b7fadbbb52b241b38ad8298c75b 2007.1/x86_64/openssh-askpass-gnome-4.6p1-1.2mdv2007.1.x86_64.rpm
560bd1f969a341204ed65e0b4ec974e2 2007.1/x86_64/openssh-clients-4.6p1-1.2mdv2007.1.x86_64.rpm
cc5df054e5ee3e26cb40708ea7d20f1b 2007.1/x86_64/openssh-server-4.6p1-1.2mdv2007.1.x86_64.rpm
0e9a0fae3361d887239b02f56f966e70 2007.1/SRPMS/openssh-4.6p1-1.2mdv2007.1.src.rpm
Mandriva Linux 2008.0:
2111c70d431c328c7077ffadf1ff1611 2008.0/i586/openssh-4.7p1-2.2mdv2008.0.i586.rpm
abd7791007806997f15568f4bf5ad480 2008.0/i586/openssh-askpass-4.7p1-2.2mdv2008.0.i586.rpm
f2d471277db50b95888b3685c65786dc 2008.0/i586/openssh-askpass-common-4.7p1-2.2mdv2008.0.i586.rpm
fa556ac82136323f2d7bce7bc2ebdc4d 2008.0/i586/openssh-askpass-gnome-4.7p1-2.2mdv2008.0.i586.rpm
9390b79a551600c984f568c4a61e0c36 2008.0/i586/openssh-clients-4.7p1-2.2mdv2008.0.i586.rpm
7d19398174cd1b98811720e4ac2bb6ea 2008.0/i586/openssh-server-4.7p1-2.2mdv2008.0.i586.rpm
a4a38dc3d02ada40d15c3c82a8714431 2008.0/SRPMS/openssh-4.7p1-2.2mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
ce637761cdca3a2885d71008d68ad5ce 2008.0/x86_64/openssh-4.7p1-2.2mdv2008.0.x86_64.rpm
dd96178f7bbafc7fa4c6165f027424f7 2008.0/x86_64/openssh-askpass-4.7p1-2.2mdv2008.0.x86_64.rpm
e59c6e5cf414167b934b556b2b733182 2008.0/x86_64/openssh-askpass-common-4.7p1-2.2mdv2008.0.x86_64.rpm
c06a24dbbfcc82b820641e1f6215cf7e 2008.0/x86_64/openssh-askpass-gnome-4.7p1-2.2mdv2008.0.x86_64.rpm
b1612dfbc98eba2d2395c8275080b3b6 2008.0/x86_64/openssh-clients-4.7p1-2.2mdv2008.0.x86_64.rpm
8b36887467cb04a1c6549a7a89d24d5d 2008.0/x86_64/openssh-server-4.7p1-2.2mdv2008.0.x86_64.rpm
a4a38dc3d02ada40d15c3c82a8714431 2008.0/SRPMS/openssh-4.7p1-2.2mdv2008.0.src.rpm
Corporate 3.0:
bd39164a0885b1048a1bad7ee36e4b5c corporate/3.0/i586/openssh-4.3p1-0.5.C30mdk.i586.rpm
28d40b0131d01224e8302b09b701c241 corporate/3.0/i586/openssh-askpass-4.3p1-0.5.C30mdk.i586.rpm
b0ecd0e810a3688e8c325e2e9490ac19 corporate/3.0/i586/openssh-askpass-gnome-4.3p1-0.5.C30mdk.i586.rpm
73f0a5ed87d85459542d0daf91afc342 corporate/3.0/i586/openssh-clients-4.3p1-0.5.C30mdk.i586.rpm
7598a2dcef9d65274ceef4b05daf6f6c corporate/3.0/i586/openssh-server-4.3p1-0.5.C30mdk.i586.rpm
47a7c143a1f59df502d679fad706407b corporate/3.0/SRPMS/openssh-4.3p1-0.5.C30mdk.src.rpm
Corporate 3.0/X86_64:
9741d292d7ab4e9897144b2e9e241028 corporate/3.0/x86_64/openssh-4.3p1-0.5.C30mdk.x86_64.rpm
acfadda7a360c60928ff3cbc0396b286 corporate/3.0/x86_64/openssh-askpass-4.3p1-0.5.C30mdk.x86_64.rpm
a40bfc1509425d8d4873f09ba4655a6f corporate/3.0/x86_64/openssh-askpass-gnome-4.3p1-0.5.C30mdk.x86_64.rpm
2045a78a038012bdf8d3f008dd929848 corporate/3.0/x86_64/openssh-clients-4.3p1-0.5.C30mdk.x86_64.rpm
63f2dd8d94e1386a0dd40584cdb331ec corporate/3.0/x86_64/openssh-server-4.3p1-0.5.C30mdk.x86_64.rpm
47a7c143a1f59df502d679fad706407b corporate/3.0/SRPMS/openssh-4.3p1-0.5.C30mdk.src.rpm
Corporate 4.0:
90a82a41e96edc3a906415fd8752d4ae corporate/4.0/i586/openssh-4.3p1-0.6.20060mlcs4.i586.rpm
ccc5e86dd030d38ea68e20fc94f2f09d corporate/4.0/i586/openssh-askpass-4.3p1-0.6.20060mlcs4.i586.rpm
98f6b7de70978476bc88649dd1d7aee5 corporate/4.0/i586/openssh-askpass-gnome-4.3p1-0.6.20060mlcs4.i586.rpm
e9ccaf3b3f2da24a319f0a8486bba6a6 corporate/4.0/i586/openssh-clients-4.3p1-0.6.20060mlcs4.i586.rpm
2a21febb787249e6640326faf776a47b corporate/4.0/i586/openssh-server-4.3p1-0.6.20060mlcs4.i586.rpm
3c9380388adfa5ce11c469aba798fa50 corporate/4.0/SRPMS/openssh-4.3p1-0.6.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
75c4138df03cb7338e4f0fd00b11d089 corporate/4.0/x86_64/openssh-4.3p1-0.6.20060mlcs4.x86_64.rpm
ee15ff755b409b38d0ef5565d33f46a3 corporate/4.0/x86_64/openssh-askpass-4.3p1-0.6.20060mlcs4.x86_64.rpm
4fefe00577fc32dfc1b998dbf938086f corporate/4.0/x86_64/openssh-askpass-gnome-4.3p1-0.6.20060mlcs4.x86_64.rpm
ae087298d947fa6042f9b0bb6ca4eb47 corporate/4.0/x86_64/openssh-clients-4.3p1-0.6.20060mlcs4.x86_64.rpm
eac093e98f64783eeefc12a4db6ec2c2 corporate/4.0/x86_64/openssh-server-4.3p1-0.6.20060mlcs4.x86_64.rpm
3c9380388adfa5ce11c469aba798fa50 corporate/4.0/SRPMS/openssh-4.3p1-0.6.20060mlcs4.src.rpm
Multi Network Firewall 2.0:
64edf29914476e979c84adc5126d146b mnf/2.0/i586/openssh-4.3p1-0.5.M20mdk.i586.rpm
3852bab5554701da9d449c4a3be4c63b mnf/2.0/i586/openssh-askpass-4.3p1-0.5.M20mdk.i586.rpm
3b2d30fbfd949cc0cb8854cc372eb0c1 mnf/2.0/i586/openssh-askpass-gnome-4.3p1-0.5.M20mdk.i586.rpm
1023e4044888cd2c60840328a0a94eb4 mnf/2.0/i586/openssh-clients-4.3p1-0.5.M20mdk.i586.rpm
6a9319816793ec07b1874c880599c316 mnf/2.0/i586/openssh-server-4.3p1-0.5.M20mdk.i586.rpm
3e888dc4c4879fcb9d834bac1b789405 mnf/2.0/SRPMS/openssh-4.3p1-0.5.M20mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
iD8DBQFH6s6BmqjQ0CJFipgRAv/DAKCChRGxX5CS6Shhn5MiT5mvechPmgCeNbMJ
a02Qog6Gy/e/vPp21tMQDbM=
=pdXy
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists