Conectiva alert CLA-2003:739 (openssh)
| From: | Conectiva Updates <secure@conectiva.com.br> | |
| To: | conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net, bugtraq@securityfocus.com, security-alerts@linuxsecurity.com, linsec@lists.seifried.org | |
| Subject: | [CLA-2003:739] Conectiva Security Announcement - openssh | |
| Date: | Tue, 16 Sep 2003 16:33:15 -0300 |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : openssh SUMMARY : Remote vulnerability DATE : 2003-09-16 16:32:00 ID : CLA-2003:739 RELEVANT RELEASES : 7.0, 8, 9 - ------------------------------------------------------------------------- DESCRIPTION OpenSSH[1] is a very popular and versatile tool that uses encrypted connections between hosts and is commonly used for remote administration. This update fixes a potential remote vulnerability[2] in the buffer handling code of OpenSSH. Although there is no concrete information about the impact of this vulnerability, it is believed that an attacker can gain root access by exploiting it. The OpenSSH team released the version 3.7 which fix this vulnerability. This update contains the versions originally distributed with Conectiva Linux added of backported patches[3]. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0693 to this issue[4]. SOLUTION It is recommended that all OpenSSH users upgrade their packages. The ssh service will be automatically restarted during the upgrade if it is already running. Current ssh sessions will remain open during the restart. REFERENCES: 1.http://www.openssh.org 2.http://www.openssh.com/txt/buffer.adv 3.http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/buffer.c.diff?r1=1.1.1.6&r2=1.1.1.7 4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-3.4p1-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-askpass-3.4p1-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-askpass-gnome-3.4p1-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-clients-3.4p1-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-server-3.4p1-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/openssh-3.4p1-1U70_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-3.4p1-1U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-askpass-3.4p1-1U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-askpass-gnome-3.4p1-1U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-clients-3.4p1-1U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-server-3.4p1-1U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/openssh-3.4p1-1U80_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/openssh-3.5p1-27767U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/openssh-askpass-3.5p1-27767U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/openssh-askpass-gnome-3.5p1-27767U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/openssh-clients-3.5p1-27767U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/openssh-server-3.5p1-27767U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/SRPMS/openssh-3.5p1-27767U90_1cl.src.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- Copyright (c) 2003 Conectiva Inc. http://www.conectiva.com - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE/Z2V542jd0JmAcZARAnhOAJ4novOQfGy56B5ZYaJSSigQ1wD5gQCeLP8Q DC4UwjAYVRHyHZKlCMh6dMQ= =Jzdf -----END PGP SIGNATURE-----