Yellow Dog Linux Security Advisory: YDU-20020626-2
Dan Burcaw
yellowdog-updates@lists.terrasoftsolutions.com
26 Jun 2002 15:16:15 -0600
(note: not all mirrors have this update yet, and the ones that do are
extremely congested. They are temporarily available for *manual
download* at: ftp://ftp.terraplex.com/updates)
Yellow Dog Linux Security Announcement
--------------------------------------
Package: openssh
Issue Date: June 26, 2002
Priority: high
Advisory ID: YDU-20020626-2
1. Topic:
Updated openssh packages are available.
2. Problem:
OpenSSH contains a serious input validation error that
can result in an integer overflow and privilege escalation.
Terra Soft has patched OpenSSH to correct this problem via the
patches provided by the OpenSSH team. For more details, see
the OpenSSH teams' security advisory at http://lwn.net/Articles/3531/.
All users of OpenSSH are urged to install these updates packages
as soon as possible.
3. Solution:
a) Updating via apt...
We suggest that you use the apt-get program to keep your
system up-to-date. The following command(s) will retrieve
and install the fixed version of this update onto your system:
apt-get update
apt-get install openssh
b) Updating manually...
Download the updates below for your version of Yellow Dog Linux
and then run the following rpm command.
(Please use a mirror site)
rpm -Fvh [filenames]
Yellow Dog Linux 2.3
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
ppc/openssh-3.1p1-2.3a.ppc.rpm
ppc/openssh-askpass-3.1p1-2.3a.ppc.rpm
ppc/openssh-askpass-gnome-3.1p1-2.3a.ppc.rpm
ppc/openssh-clients-3.1p1-2.3a.ppc.rpm
ppc/openssh-server-3.1p1-2.3a.ppc.rpm
Yellow Dog Linux 2.2
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/
ppc/openssh-3.1p1-2.2a.ppc.rpm
ppc/openssh-askpass-3.1p1-2.2a.ppc.rpm
ppc/openssh-askpass-gnome-3.1p1-2.2a.ppc.rpm
ppc/openssh-clients-3.1p1-2.2a.ppc.rpm
ppc/openssh-server-3.1p1-2.2a.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
[Yellow Dog Linux 2.3]
1c5cdd3c8834f4525624287f06c59510 SRPMS/openssh-3.1p1-2.3a.src.rpm
5fefe116bc9f62e7a9e93fe672fe5930 ppc/openssh-3.1p1-2.3a.ppc.rpm
f50b95521a8ca186873e8237c97ac50a ppc/openssh-askpass-3.1p1-2.3a.ppc.rpm
132873ac82c23a27cfea6628a00b64d9 ppc/openssh-askpass-gnome-3.1p1-2.3a.ppc.rpm
c4d289d5eecb3a4274b9f47346a8d95d ppc/openssh-clients-3.1p1-2.3a.ppc.rpm
7135bf2e7ceb47110603b3a6d6891268 ppc/openssh-server-3.1p1-2.3a.ppc.rpm
[Yellow Dog Linux 2.2]
dc0fff066d8c17166e3c15d412e0a028 SRPMS/openssh-3.1p1-2.2a.src.rpm
bfb8dcd0b561071549ba33cc21a31f25 ppc/openssh-3.1p1-2.2a.ppc.rpm
080141a7303d875b4243311d362aad00 ppc/openssh-askpass-3.1p1-2.2a.ppc.rpm
fe8619a32100757230df1e8ed9db8bdc ppc/openssh-askpass-gnome-3.1p1-2.2a.ppc.rpm
9a249fdb84a751e3f36fda3f2e367ced ppc/openssh-clients-3.1p1-2.2a.ppc.rpm
a17be4f11492e30b06141b21ae22f121 ppc/openssh-server-3.1p1-2.2a.ppc.rpm
If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.
For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml