OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: MDKSA-2000:057 - openssh update
From: Markus Friedl (markus.friedlINFORMATIK.UNI-ERLANGEN.DE)
Date: Thu Oct 12 2000 - 08:58:41 CDT

hello,

this makes no sense at all. the problem is about 'defects' in scp/rcp,
and has nothing to do with /usr/bin/ssh having sbits turned off or not.

this advisory is wrong, and missleading at its best.

-markus (openssh.com)

On Tue, Oct 10, 2000 at 11:51:16AM -0600, Linux Mandrake Security Team wrote:
> ________________________________________________________________________
>
> Package name: openssh
> Date: October 10th, 2000
> Advisory ID: MDKSA-2000:057
>
> Affected versions: 7.0, 7.1
> ________________________________________________________________________
>
> Problem Description:
>
> A problem exists with openssh's scp program. If a user uses scp to
> move files from a server that has been compromised, the operation can
> be used to replace arbitrary files on the user's system. The problem
> is made more serious by setuid versions of ssh which allow overwriting
> any file on the local user's system. If the ssh program is not setuid
> or is setuid to someone other than root, the intrustion is limited to
> files with write access granted to the owner of the ssh program. In
> either case, files can be overwritten with code allowing others access
> to the system unexpectedly. While no fix has been provided for openssh
> as of yet, the versions of openssh available for Linux-Mandrake 7.0 and
> 7.1 were setuid root. This update removes the setuid bit from the ssh
> program and limits the exploitability of scp somewhat. All users of
> Linux-Mandrake are encouraged to upgrade to these latest openssh
> builds. Linux-Mandrake 7.0 users will also need to upgrade openssl in
> order to use the 7.0 update of openssh.
> ________________________________________________________________________