LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Conectiva alert CLA-2003:739 (openssh)



From:
    	      Conectiva Updates <secure@conectiva.com.br>


To:
    	      conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net,
 bugtraq@securityfocus.com, security-alerts@linuxsecurity.com,
 linsec@lists.seifried.org


Subject:
    	      [CLA-2003:739] Conectiva Security Announcement - openssh


Date:
    	      Tue, 16 Sep 2003 16:33:15 -0300



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : openssh
SUMMARY   : Remote vulnerability
DATE      : 2003-09-16 16:32:00
ID        : CLA-2003:739
RELEVANT
RELEASES  : 7.0, 8, 9

- -------------------------------------------------------------------------

DESCRIPTION
 OpenSSH[1] is a very popular and versatile tool that uses encrypted
 connections between hosts and is commonly used for remote
 administration.
 
 This update fixes a potential remote vulnerability[2] in the buffer
 handling code of OpenSSH. Although there is no concrete information
 about the impact of this vulnerability, it is believed that an
 attacker can gain root access by exploiting it.
 
 The OpenSSH team released the version 3.7 which fix this
 vulnerability. This update contains the versions originally
 distributed with Conectiva Linux added of backported patches[3].
 
 The Common Vulnerabilities and Exposures project (cve.mitre.org) has
 assigned the name CAN-2003-0693 to this issue[4].


SOLUTION
 It is recommended that all OpenSSH users upgrade their packages.
 
 The ssh service will be automatically restarted during the upgrade if
 it is already running. Current ssh sessions will remain open during
 the restart.
 
 
 REFERENCES:
 1.http://www.openssh.org
 2.http://www.openssh.com/txt/buffer.adv
 3.http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/buffer.c.diff?r1=1.1.1.6&r2=1.1.1.7
 4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-3.4p1-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-askpass-3.4p1-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-askpass-gnome-3.4p1-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-clients-3.4p1-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-server-3.4p1-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/openssh-3.4p1-1U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-3.4p1-1U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-askpass-3.4p1-1U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-askpass-gnome-3.4p1-1U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-clients-3.4p1-1U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-server-3.4p1-1U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/openssh-3.4p1-1U80_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/openssh-3.5p1-27767U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/openssh-askpass-3.5p1-27767U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/openssh-askpass-gnome-3.5p1-27767U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/openssh-clients-3.5p1-27767U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/openssh-server-3.5p1-27767U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/openssh-3.5p1-27767U90_1cl.src.rpm


ADDITIONAL INSTRUCTIONS
 The apt tool can be used to perform RPM packages upgrades:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE/Z2V542jd0JmAcZARAnhOAJ4novOQfGy56B5ZYaJSSigQ1wD5gQCeLP8Q
DC4UwjAYVRHyHZKlCMh6dMQ=
=Jzdf
-----END PGP SIGNATURE-----
(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds