![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
From: Trustix Secure Linux Advisor <tsl@trustix.com> To: tsl-announce@trustix.com Subject: TSL-2001-0035 - OpenSSH take III Date: Fri, 21 Dec 2001 15:48:13 +0100 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Trustix Secure Linux Security Advisory #2001-0035 Package name: OpenSSH Severity: Local root exploit if UseLogin option enabled Date: 2001-12-19 Affected versions: TSL 1.01, 1.1, 1.2, 1.5 - -------------------------------------------------------------------------- Problem description: A malicious local user can pass environment variables to the login process if the administrator enables the UseLogin option. This can be abused to bypass authentication and gain root access. Note that this option is not enabled by default on TSL. Updated, part II: There was a file conflict in the packages in the two first advisories. Packages are now fixed, and the MD5 sum is updated. Action: We recommend that all systems with this package installed are upgraded. Location: All TSL updates are available from <URI:http://www.trustix.net/pub/Trustix/updates/> <URI:ftp://ftp.trustix.net/pub/Trustix/updates/> Automatic updates: Users of the SWUP tool, can enjoy having updates automatically installed using 'swup --upgrade'. Get SWUP from: <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/> Questions? Check out our mailing lists: <URI:http://www.trustix.net/support/> Verification: This advisory along with all TSL packages are signed with the TSL sign key. This key available from: <URI:http://www.trustix.net/TSL-GPG-KEY> The advisory itself is available from the errata pages at <URI:http://www.trustix.net/errata/trustix-1.2/> and <URI:http://www.trustix.net/errata/trustix-1.5/> or directly at <URI:http://www.trustix.net/errata/misc/2001/TSL-2001-0035-openssh.asc.txt> MD5sums of the packages: - -------------------------------------------------------------------------- 14d7d282f890793efd0bb2fe6c7def74 ./1.5/SRPMS/openssh-3.0.2p1-3tr.src.rpm 1613df3c919e3278b4b635f5b0f2f480 ./1.5/RPMS/openssh-server-3.0.2p1-3tr.i586.rpm c19f0a3b8560713e2598e346d4e5db17 ./1.5/RPMS/openssh-clients-3.0.2p1-3tr.i586.rpm ffbba79d4cd3d76f4205a8000c8691f0 ./1.5/RPMS/openssh-3.0.2p1-3tr.i586.rpm 14d7d282f890793efd0bb2fe6c7def74 ./1.2/SRPMS/openssh-3.0.2p1-3tr.src.rpm c15c124c6e09cb57e8bac74e0fc13df2 ./1.2/RPMS/openssh-server-3.0.2p1-3tr.i586.rpm b469579b2fb9433e144a9180e59f4b8c ./1.2/RPMS/openssh-clients-3.0.2p1-3tr.i586.rpm 7a8cf28aff4d025ea904bf412176a810 ./1.2/RPMS/openssh-3.0.2p1-3tr.i586.rpm 14d7d282f890793efd0bb2fe6c7def74 ./1.1/SRPMS/openssh-3.0.2p1-3tr.src.rpm 2866bf5a49508c24680cec6404d6847b ./1.1/RPMS/openssh-server-3.0.2p1-3tr.i586.rpm 208c44007f0b25e788b6450bcae8e120 ./1.1/RPMS/openssh-clients-3.0.2p1-3tr.i586.rpm 59a60bb0d6ae3839895d5e88957b0935 ./1.1/RPMS/openssh-3.0.2p1-3tr.i586.rpm - -------------------------------------------------------------------------- Trustix Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8I0r4wRTcg4BxxS0RAqtHAJwK4jMqlxSEdm4D9bRgD+/omwd6iQCfV7R1 caWV5ObHq4aiefAUzJH6pOY= =EBDF -----END PGP SIGNATURE----- _______________________________________________ tsl-announce mailing list tsl-announce@trustix.org http://www.trustix.org/mailman/listinfo.cgi/tsl-announce