|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENSSH
From: Andreas Hasenack (andreas
CONECTIVA.COM.BR)Date: Sat Jun 10 2000 - 12:11:56 CDT
- Next message: Vanja Hrustic: "Re: Mailstudio2000 CGI Vulnerabilities [S0ftPj.4]"
- Previous message: Bernhard Rosenkraenzer: "Re: OpenSSH's UseLogin option allows remote access with root privilege."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
----------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
----------------------------------------------------------------------
PACKAGE: openssh
SUMMARY : "UseLogin" option allows remote execution
of commands as root
DATE : 2000-06-10
AFFECTED CONECTIVA VERSIONS : 5.0
----------------------------------------------------------------------
DESCRIPTION
Openssh's default installation doesn't have this problem.
If the "UseLogin" option is used, then the ssh server won't drop
its root privileges, instead relying on the login program to do
so. But if the user specifies a command to be executed during the
ssh session, the login program won't be used and the program will
be run with full root privileges.
SOLUTION
Users with the "UseLogin" option set to "no" in /etc/ssh/sshd_config
are not vulnerable. If, however, this option is needed, then openssh
MUST be upgraded IMMEDIATELY.
Updated packages for openssl are also provided to satisfy openssh's
dependencies.
DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-askpass-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-askpass-gnome-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-clients-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-server-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssl-0.9.5a-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssl-devel-0.9.5a-1cl.i386.rpm
DIRECT LINK TO THE SOURCE PACKAGE
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/openssh-2.1.1p1-1cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/openssl-0.9.5a-1cl.src.rpm
----------------------------------------------------------------------
All packages are signed with Conectiva's PGP key. The key can be obtained at
http://www.conectiva.com.br/conectiva/contato.html
----------------------------------------------------------------------
subscribe: atualizacoes-anuncio-subscribebazar.conectiva.com.br
unsubscribe: atualizacoes-anuncio-unsubscribebazar.conectiva.com.br
- Next message: Vanja Hrustic: "Re: Mailstudio2000 CGI Vulnerabilities [S0ftPj.4]"
- Previous message: Bernhard Rosenkraenzer: "Re: OpenSSH's UseLogin option allows remote access with root privilege."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]