Home page logo
/

bugtraq logo Bugtraq mailing list archives

[SECURITY] [DSA-134-2] Unknown OpenSSH remote vulnerability
From: Wichert Akkerman <wichert () wiggy net>
Date: Tue, 25 Jun 2002 14:37:12 +0200

-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------------
Debian Security Advisory DSA-134-2                   security () debian org
http://www.debian.org/security/                         Wichert Akkerman
June 25, 2002
- ------------------------------------------------------------------------


Package        : ssh
Problem type   : remote exploit
Debian-specific: no

This advisory is an update to DSA-134-1: some extra information is
provided on broken or changed functionality in this new release and
packages for Debian GNU/Linux 2.2/potato are now available.

Theo de Raadt announced that the OpenBSD team is working with ISS
on a remote exploit for OpenSSH (a free implementation of the
Secure SHell protocol). They are refusing to provide any details on
the vulnerability but instead are advising everyone to upgrade to
the latest release, version 3.3.

This version was released 4 days ago and introduced a new feature
to reduce the effect of exploits in the network handling code
called privilege separation. Unfortunately this release has a few
known problems:

* compression does not work on all operating systems since the code
  relies on specific mmap features

* the PAM support has not been completed and may break a few PAM modules

* keyboard interactive authentication does not work with privilege
  seperation. Most noticable for Debian users this breaks PAM modules
  which need a PAM conversation function (like the OPIE module).

The new privilege separation support from Niels Provos changes ssh
to use a separate non-privileged process to handle most of the
work. This means any vulnerability in this part of OpenSSH can
never lead to a root compromise but only to access to a separate
account restricted to a chroot.

Theo made it very clear this new version does not fix the
vulnerability. Instead by using the new privilege separation code
it merely reduces the risk since the attacker can only gain access
to a special account restricted in a chroot.

Since details of the problem have not been released we were forced
to move to the latest release of OpenSSH portable, version 3.3p1.

Please note that we have not had the time to do proper QA on these
packages; they might contain bugs or break things unexpectedly. If you
notice any such problems (besides the ones mentioned in this advisory)
please file a bug-report so we can investigate.

Some notes on possible issues associated with this upgrade:

* This package introduce a new account called `sshd' that is used in
  the privilege separation code. If no sshd account exists the package
  will try to create one. If the account already exists it will be
  re-used. If you do not want this to happen you will have to fix this
  manually. 

* (relevant for potato only) This update adds a backport of version
  0.9.6 of the SSL library. This means you will have to upgrade tne
  ssl package as well.

* (relevant for potato only) This update defaults to using version 2
  of the SSH protocol. This can break existing setups where RSA
  authentication is used. You will either have to add -1 to the ssh
  invocation to keep using SSH protocol 1 and your existing keys, or
  create new keys for SSH protocol 2.

* sshd defaults to enabling privilege seperation, even if you do not
  explicitly enable it in /etc/ssh/sshd_config .

* If ssh does not work for you you can try to disable compression. We
  already included a patch from Solar Designer which fixes the problem
  with Linux 2.2 kernels, but there might be a few cases where this is
  not sufficient.


wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.


Debian GNU/Linux 2.2 alias potato
- ---------------------------------

  Potato was released for alpha, arm, i386, m68k, powerpc and sparc
  Packages for m68k are not available at this moment.

  Source archives:

    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
      Size/MD5 checksum:  2153980 c8261d93317635d56df55650c6aeb3dc
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1.diff.gz
      Size/MD5 checksum:    37925 718ffc86669ae06b22d77c659400f4e8
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1.dsc
      Size/MD5 checksum:      784 b197de235e0d10f7bb66b4751808a033
    http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1.orig.tar.gz
      Size/MD5 checksum:   831189 226fdde5498c56288e777c7a697996e0
    http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0potato2.dsc
      Size/MD5 checksum:      871 cdfed0811edea5d6724794dbb40708db
    http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0potato2.diff.gz
      Size/MD5 checksum:    33848 37e25d0536a2e9e5c4885d2f42190aa4

  Architecture independent packages:

    http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-0.potato.1_all.deb
      Size/MD5 checksum:      976 6b39f5a320b1c8bdbba05e2c8b041b70

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_alpha.deb
      Size/MD5 checksum:   589696 f0263fe6848b8bd09ad07a370ed6310a
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_alpha.deb
      Size/MD5 checksum:   746344 5a06b3db8f6eabf063c3099cb539ffe9
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_alpha.deb
      Size/MD5 checksum:  1548926 377068d478722db72c2fe52f3c23312b
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato2_alpha.deb
      Size/MD5 checksum:   863184 35fd7e643b2b9260ddc6f9fe3ae91c43
    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato2_alpha.deb
      Size/MD5 checksum:    32936 3d27fe67e3291e4a70f57dd9df35a84d

  arm architecture (ARM)

    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_arm.deb
      Size/MD5 checksum:   468106 c1dc499d7a06db8e831906f942d1192e
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_arm.deb
      Size/MD5 checksum:  1348440 7fb0b6f32b6eb2dfc78391a302bd0e02
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_arm.deb
      Size/MD5 checksum:   728932 0a9872153979c364d41208082c80772d
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato2_arm.deb
      Size/MD5 checksum:   661860 ebbde85010cee05edc9f69becb94311a
    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato2_arm.deb
      Size/MD5 checksum:    32164 4843d937dfff5c957ad86e954755a704

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_i386.deb
      Size/MD5 checksum:  1290006 362451bafdf4fe2104e54a0336893519
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_i386.deb
      Size/MD5 checksum:   461994 a1c785ce6982b9031410362f124d873a
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_i386.deb
      Size/MD5 checksum:   730338 747306c7e4ef0b767cb2985b74047b05
    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato2_i386.deb
      Size/MD5 checksum:    32456 8f55767bd74ea25aae9205e7f8a794d0
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato2_i386.deb
      Size/MD5 checksum:   640020 3647f6184629594f3790a34c39baab24

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_powerpc.deb
      Size/MD5 checksum:   726602 93f47a77404ad9164565aac7ff901e43
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_powerpc.deb
      Size/MD5 checksum:  1384596 ff8ce54bc5fa3e0913ad1f359c36161b
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_powerpc.deb
      Size/MD5 checksum:   502776 a09451aa914242e199eb8e5de529ec26
    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato2_powerpc.deb
      Size/MD5 checksum:    32156 d8b9f4b31137e7fb05f0f9ec785a3dfc
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato2_powerpc.deb
      Size/MD5 checksum:   680374 270566725880521ad92ed966be21c42e

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_sparc.deb
      Size/MD5 checksum:  1338558 812adef25bd5abab26c47451dde84ba8
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_sparc.deb
      Size/MD5 checksum:   482712 d821248f15cc4e1fa6574e4cdfdf02e0
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_sparc.deb
      Size/MD5 checksum:   738056 d27a607775a80eb4aba24d29b35fe6ff
    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato2_sparc.deb
      Size/MD5 checksum:    35010 da321e8fdf8f9bde1c1ffa859a54c32a
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato2_sparc.deb
      Size/MD5 checksum:   687352 a06d6f8008c0c7b641219dbceab230f6


Debian GNU/Linux 3.0 alias woody
- ---------------------------------

  Woody will be released for alpha, arm, hppa, i386, ia64, m68k, mips,
  mipsel, powerpc, s390 and sparc. Packages for m68k are not available
  at this moment.

  Source archives:

    http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0woody1.dsc
      Size/MD5 checksum:      751 2409524dc15e3de36ebfaa702c0311ea
    http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1.orig.tar.gz
      Size/MD5 checksum:   831189 226fdde5498c56288e777c7a697996e0
    http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0woody1.diff.gz
      Size/MD5 checksum:    33009 4850f4a167cb515cc20301288e751e27

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_alpha.deb
      Size/MD5 checksum:   844556 7ef1518babcb185b5ef61fde2bd881c5
    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_alpha.deb
      Size/MD5 checksum:    33422 ba9145a70719500ba56940e79e2cba02

  arm architecture (Arm)

    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_arm.deb
      Size/MD5 checksum:   653454 4b6553ed08622525c6f22e7dc488f7c6
    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_arm.deb
      Size/MD5 checksum:    32636 902f862c07059cdccb2ece3147f66282

  hppa architecture (HP PA RISC)

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_hppa.deb
      Size/MD5 checksum:    33008 cdc5abf35a41df56be4780e251d203e8
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_hppa.deb
      Size/MD5 checksum:   750862 d66d8707a30787b9995f9716fdd97811

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_i386.deb
      Size/MD5 checksum:   637940 c3743ca590e7efd74cb97d5be98456be
    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_i386.deb
      Size/MD5 checksum:    32928 d8a53753324406f2d9a386451e02e40d

  ia64 architecture (Intel ia64)

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_ia64.deb
      Size/MD5 checksum:    34374 a7f36c83b84a5d4ade7a8ee992ca92da
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_ia64.deb
      Size/MD5 checksum:   998018 ff8346cfbcba7e156f825de86c440455

  mips architecture (SGI MIPS)

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_mips.deb
      Size/MD5 checksum:    32926 afc0d38e2c49eb7ef8de86a935509af3
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_mips.deb
      Size/MD5 checksum:   725414 22b6bc8d5fcfa09ba9391ed98ccf0851

  mipsel architecture (SGI MIPS (Little Endian))

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_mipsel.deb
      Size/MD5 checksum:    32894 71bc788f883eb7caf3262fe8b685dfd3
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_mipsel.deb
      Size/MD5 checksum:   722364 2ee3bfe9bdaa28b41dd6aaa6407e2fc6

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_powerpc.deb
      Size/MD5 checksum:    32658 7f7fa405891087d0da0c54e0fd516d02
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_powerpc.deb
      Size/MD5 checksum:   676954 4471019ed9c792bbaf6422394d7bb77c

  s390 architecture (IBM S/390)

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_s390.deb
      Size/MD5 checksum:    33274 81ff83437d47fba8c62351e249e70a2d
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_s390.deb
      Size/MD5 checksum:   666304 05666b9eb24bfb76bcd3c194912da912

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_sparc.deb
      Size/MD5 checksum:    32720 8f03b2b054e9fcf47ad826802e1a0192
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_sparc.deb
      Size/MD5 checksum:   681598 2d1413a153f3e51fafaaee9a8ad4682b

- -- 
- ----------------------------------------------------------------------------
apt-get: deb http://security.debian.org/ stable/updates main
dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce () lists debian org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBPRhj7ajZR/ntlUftAQF3nwL+JwDug3TfaCjndFFzBwN+uK2OY8ZkpCYR
RlmUl2yYOgy9MAA6XmCwTm80fdGfD3atztjYjMQ2Nb38SRH/TJOVuKUWQGf2FKaz
TFqxE4F7J8oayOcupGG4OfPqDWqQLs+0
=Szhk
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to debian-security-announce-request () lists debian org
with a subject of "unsubscribe". Trouble? Contact listmaster () lists debian org


  By Date           By Thread  

Current thread:
  • [SECURITY] [DSA-134-2] Unknown OpenSSH remote vulnerability Wichert Akkerman (Jun 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault