OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: bugzillaredhat.com
Date: Thu Jun 27 2002 - 16:47:47 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ---------------------------------------------------------------------
                       Red Hat, Inc. Red Hat Security Advisory

    Synopsis: Updated OpenSSH packages fix various security issues
    Advisory ID: RHSA-2002:127-18
    Issue date: 2002-06-24
    Updated on: 2002-06-27
    Product: Red Hat Linux
    Keywords: security pam openssh ChallengeResponseAuthentication
    Cross references:
    Obsoletes: RHSA-2002:043

    ---------------------------------------------------------------------

    1. Topic:

    Updated openssh packages are now available for Red Hat Linux 7, 7.1, 7.2,
    and 7.3. These updates fix an input validation error in OpenSSH.

    2. Relevant releases/architectures:

    Red Hat Linux 7.0 - alpha, i386

    Red Hat Linux 7.1 - alpha, i386, ia64

    Red Hat Linux 7.2 - i386, ia64

    Red Hat Linux 7.3 - i386

    3. Problem description:

    OpenSSH provides an implementation of the SSH (secure shell) protocol used
    for logging into and executing commands on remote machines.

    Versions of the OpenSSH server between 2.3.1 and 3.3 contain an input
    validation error that can result in an integer overflow and privilege
    escalation.

    At this time, Red Hat does not believe that the default installation of
    OpenSSH on Red Hat Linux is vulnerable to this issue; however a user would
    be vulnerable if the configuration option "PAMAuthenticationViaKbdInt" is
    enabled in the sshd configuration file (it is not enabled by default).

    We have applied the security fix provided by the OpenSSH team to these
    errata packages which are based on OpenSSH 3.1p1. This should minimize the
    impact of upgrading to our errata packages.

    All users of OpenSSH should update to these errata packages which are not
    vulnerable to this issue.

    4. Solution:

    Before applying this update, make sure all previously released errata
    relevant to your system have been applied.

    To update all RPMs for your particular architecture, run:

    rpm -Fvh [filenames]

    where [filenames] is a list of the RPMs you wish to upgrade. Only those
    RPMs which are currently installed will be updated. Those RPMs which are
    not installed but included in the list will not be updated. Note that you
    can also use wildcards (*.rpm) if your current directory *only* contains
    the desired RPMs.

    Please note that this update is also ava