![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
From: dburcaw@newhope.terraplex.com To: yellowdog-updates@lists.yellowdoglinux.com Subject: [yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-20020309-1 Date: 10 Mar 2002 00:42:15 -0000 Yellow Dog Linux Security Announcement -------------------------------------- Package: openssh Issue Date: March 09, 2002 Priority: high Advisory ID: YDU-20020309-1 1. Topic: Updated openssh packages fix a potential remote root exploit in sshd. 2. Problem: "Joost Pol has discovered an off-by-one error in all versions of the OpenSSH daemon (sshd) prior to version 3.1. This issue could allow an authenticated user to cause sshd to corrupt its heap, potentially allowing arbitrary code to be executed on the remote server. Alternatively, a malicious SSH server could be crafted to attack a vulnerable OpenSSH client. Users are advised to upgrade to these errata packages containing OpenSSH 3.1, which is not vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0083 to this issue." (from Red Hat's advisory) 3. Solution: a) Updating via yup... We suggest that you use the Yellow Dog Update Program (yup) to keep your system up-to-date. The following command(s) will automatically retrieve and install the fixed version of this update onto your system: yup update openssh yup update openssh-askpass yup update openssh-askpass-gnome yup update openssh-clients yup update openssh-server b) Updating manually... The update can also be retrieved manually from our ftp site below along with the rpm command that should be used to install the update. (Please use a mirror site) ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.1/ppc/ rpm -Fvh openssh-3.1p1-2.ppc.rpm rpm -Fvh openssh-askpass-3.1p1-2.ppc.rpm rpm -Fvh openssh-askpass-gnome-3.1p1-2.ppc.rpm rpm -Fvh openssh-clients-3.1p1-2.ppc.rpm rpm -Fvh openssh-server-3.1p1-2.ppc.rpm 4. Verification MD5 checksum Package -------------------------------- ---------------------------- 867fe04ffa1287cdf41c11b54c637476 ppc/openssh-3.1p1-2.ppc.rpm 728a3c16c461f4ba2bcac8cfaee1991f ppc/openssh-askpass-3.1p1-2.ppc.rpm 83861f3c3b2b989915488d2b2cbfdc25 ppc/openssh-askpass-gnome-3.1p1-2.ppc.rpm 8751a43409127dff1d5848e4209b764d ppc/openssh-clients-3.1p1-2.ppc.rpm f648310c47d1a32a52a948b7e48a4533 ppc/openssh-server-3.1p1-2.ppc.rpm f18dc5e67596b5504f2ccc9cfaf7b6cf SRPMS/openssh-3.1p1-2.src.rpm If you wish to verify that each package has not been corrupted or tampered with, examine the md5sum with the following command: rpm --checksig --nogpg filename 5. Misc. Terra Soft has setup a moderated mailing list where these security, bugfix, and package enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more information. For information regarding the usage of yup, the Yellow Dog Update Program, see http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml