Yellow Dog Linux Security Advisory: YDU-20020626-2

Dan Burcaw yellowdog-updates@lists.terrasoftsolutions.com
26 Jun 2002 15:16:15 -0600 

(note: not all mirrors have this update yet, and the ones that do are
extremely congested. They are temporarily available for *manual
download* at: ftp://ftp.terraplex.com/updates)


Yellow Dog Linux Security Announcement
--------------------------------------

Package:	openssh
Issue Date: 	June 26, 2002	
Priority:	high		
Advisory ID: 	YDU-20020626-2


1. 	Topic:

	Updated openssh packages are available.


2. 	Problem:

	OpenSSH contains a serious input validation error that
	can result in an integer overflow and privilege escalation.

	Terra Soft has patched OpenSSH to correct this problem via the
	patches provided by the OpenSSH team.  For more details, see
        the OpenSSH teams' security advisory at http://lwn.net/Articles/3531/.

	All users of OpenSSH are urged to install these updates packages
	as soon as possible.
	

3. 	Solution:

   	a) Updating via apt...
   	We suggest that you use the apt-get program to keep your
   	system up-to-date. The following command(s) will retrieve
   	and install the fixed version of this update onto your system:

		apt-get update
		apt-get install openssh

   	b) Updating manually...
	Download the updates below for your version of Yellow Dog Linux
	and then run the following rpm command.
   	(Please use a mirror site)

		rpm -Fvh [filenames]

		Yellow Dog Linux 2.3
		  ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
			ppc/openssh-3.1p1-2.3a.ppc.rpm
			ppc/openssh-askpass-3.1p1-2.3a.ppc.rpm
			ppc/openssh-askpass-gnome-3.1p1-2.3a.ppc.rpm
			ppc/openssh-clients-3.1p1-2.3a.ppc.rpm
			ppc/openssh-server-3.1p1-2.3a.ppc.rpm

		Yellow Dog Linux 2.2
		  ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/
			ppc/openssh-3.1p1-2.2a.ppc.rpm
			ppc/openssh-askpass-3.1p1-2.2a.ppc.rpm
			ppc/openssh-askpass-gnome-3.1p1-2.2a.ppc.rpm
			ppc/openssh-clients-3.1p1-2.2a.ppc.rpm
			ppc/openssh-server-3.1p1-2.2a.ppc.rpm


4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
[Yellow Dog Linux 2.3]
1c5cdd3c8834f4525624287f06c59510  SRPMS/openssh-3.1p1-2.3a.src.rpm
5fefe116bc9f62e7a9e93fe672fe5930  ppc/openssh-3.1p1-2.3a.ppc.rpm
f50b95521a8ca186873e8237c97ac50a  ppc/openssh-askpass-3.1p1-2.3a.ppc.rpm
132873ac82c23a27cfea6628a00b64d9  ppc/openssh-askpass-gnome-3.1p1-2.3a.ppc.rpm
c4d289d5eecb3a4274b9f47346a8d95d  ppc/openssh-clients-3.1p1-2.3a.ppc.rpm
7135bf2e7ceb47110603b3a6d6891268  ppc/openssh-server-3.1p1-2.3a.ppc.rpm

[Yellow Dog Linux 2.2]
dc0fff066d8c17166e3c15d412e0a028  SRPMS/openssh-3.1p1-2.2a.src.rpm
bfb8dcd0b561071549ba33cc21a31f25  ppc/openssh-3.1p1-2.2a.ppc.rpm
080141a7303d875b4243311d362aad00  ppc/openssh-askpass-3.1p1-2.2a.ppc.rpm
fe8619a32100757230df1e8ed9db8bdc  ppc/openssh-askpass-gnome-3.1p1-2.2a.ppc.rpm
9a249fdb84a751e3f36fda3f2e367ced  ppc/openssh-clients-3.1p1-2.2a.ppc.rpm
a17be4f11492e30b06141b21ae22f121  ppc/openssh-server-3.1p1-2.2a.ppc.rpm

If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml