Yellow Dog Linux Security Advisory: YDU-20030917-1
Terra Soft Security Team
yellowdog-updates@lists.terrasoftsolutions.com
17 Sep 2003 22:22:05 -0600
Yellow Dog Linux Security Announcement
--------------------------------------
Package: openssh
Issue Date: Sep 17,2003
Priority: high
Advisory ID: YDU-20030917-1
1. Topic:
Updated openssh packages are available.
2. Problem:
"Updated packages are now available to fix additional buffer manipulation
problems which were fixed in OpenSSH 3.7.1. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0695 to
these additional issues.
We have also included fixes from Solar Designer for some additional memory
bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0682 to these issues.
OpenSSH is a suite of network connectivity tools that can be used to
establish encrypted connections between systems on a network and can
provide interactive login sessions and port forwarding, among other functions.
The OpenSSH team has announced a bug which affects the OpenSSH buffer
handling code. This bug has the potential of being remotely exploitable.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0693 to this issue.
All users of OpenSSH should immediately apply this update which contains a
backported fix for this issue."
(from Red Hat Advisory)
3. Solution:
a) Updating via yum...
We suggest that you use the yum program to keep your
system up-to-date. The following command(s) will retrieve
and install the fixed version of this update onto your system:
yum update openssh
b) Updating manually...
Download the updates below and then run the following rpm command.
(Please use a mirror site)
rpm -Fvh [filenames]
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-3.0/
ppc/openssh-3.5p1-11.ppc.rpm
ppc/openssh-askpass-3.5p1-11.ppc.rpm
ppc/openssh-askpass-gnome-3.5p1-11.ppc.rpm
ppc/openssh-clients-3.5p1-11.ppc.rpm
ppc/openssh-server-3.5p1-11.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
7840ab7a3823b224e7758f8436271d45 SRPMS/openssh-3.5p1-11.src.rpm
69b608fa15c4f1dc5baeaf37f8aa336f ppc/openssh-3.5p1-11.ppc.rpm
1ebda5bff78251003cbc75edd179b51c ppc/openssh-askpass-3.5p1-11.ppc.rpm
59a5d650e06bb531774cd1f86ac2f978 ppc/openssh-askpass-gnome-3.5p1-11.ppc.rpm
cbaf8bdb55212bbc38623b29f68da4da ppc/openssh-clients-3.5p1-11.ppc.rpm
bdbee796e35f01829f69b70c483bff79 ppc/openssh-server-3.5p1-11.ppc.rpm
If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: md5sum <filename>
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more
information.
For information regarding the usage of yum, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/yum.shtml