[yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-20020309-1

Subject: [yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-20020309-1
dburcaw@newhope.terraplex.com
Date: Sat Mar 09 2002 - 17:42:15 MST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Previous message: dburcaw@newhope.terraplex.com: "[yellowdog-updates] Yellow Dog Linux Security Advisory: YDL-20020305-2"

Yellow Dog Linux Security Announcement
--------------------------------------

Package: openssh
Issue Date: March 09, 2002
Priority: high
Advisory ID: YDU-20020309-1

1. Topic:

        Updated openssh packages fix a potential remote root exploit in sshd.

2. Problem:

        "Joost Pol has discovered an off-by-one error in all versions of the
        OpenSSH daemon (sshd) prior to version 3.1.

        This issue could allow an authenticated user to cause sshd to corrupt
        its heap, potentially allowing arbitrary code to be executed on the remote
        server. Alternatively, a malicious SSH server could be crafted to attack
        a vulnerable OpenSSH client.

        Users are advised to upgrade to these errata packages containing OpenSSH
        3.1, which is not vulnerable to this issue.

        The Common Vulnerabilities and Exposures project (cve.mitre.org) has
        assigned the name CAN-2002-0083 to this issue."
        (from Red Hat's advisory)

3. Solution:

           a) Updating via yup...
           We suggest that you use the Yellow Dog Update Program (yup)
           to keep your system up-to-date. The following command(s) will
           automatically retrieve and install the fixed version of
           this update onto your system:

                   yup update openssh
                yup update openssh-askpass
                yup update openssh-askpass-gnome
                yup update openssh-clients
                yup update openssh-server

           b) Updating manually...
           The update can also be retrieved manually from our ftp site
           below along with the rpm command that should be used to install
           the update. (Please use a mirror site)

                   ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.1/ppc/
                rpm -Fvh openssh-3.1p1-2.ppc.rpm
                rpm -Fvh openssh-askpass-3.1p1-2.ppc.rpm
                rpm -Fvh openssh-askpass-gnome-3.1p1-2.ppc.rpm
                rpm -Fvh openssh-clients-3.1p1-2.ppc.rpm
                rpm -Fvh openssh-server-3.1p1-2.ppc.rpm

4. Verification

MD5 checksum Package
-------------------------------- ----------------------------
867fe04ffa1287cdf41c11b54c637476 ppc/openssh-3.1p1-2.ppc.rpm
728a3c16c461f4ba2bcac8cfaee1991f ppc/openssh-askpass-3.1p1-2.ppc.rpm
83861f3c3b2b989915488d2b2cbfdc25 ppc/openssh-askpass-gnome-3.1p1-2.ppc.rpm
8751a43409127dff1d5848e4209b764d ppc/openssh-clients-3.1p1-2.ppc.rpm
f648310c47d1a32a52a948b7e48a4533 ppc/openssh-server-3.1p1-2.ppc.rpm
f18dc5e67596b5504f2ccc9cfaf7b6cf SRPMS/openssh-3.1p1-2.src.rpm

If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename

5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of yup, the Yellow Dog Update Program, see
http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml

• Previous message: dburcaw@newhope.terraplex.com: "[yellowdog-updates] Yellow Dog Linux Security Advisory: YDL-20020305-2"

This archive was generated by hypermail 2a24 : Sat Mar 09 2002 - 17:42:35 MST