Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

MDKSA-2005:172 - Updated openssh packages fix GSSAPI credentials vulnerability
From: Mandriva Security Team <security () mandriva com>
Date: Thu, 06 Oct 2005 21:02:30 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           openssh
 Advisory ID:            MDKSA-2005:172
 Date:                   October 6th, 2005

 Affected versions:      10.2
 ______________________________________________________________________

 Problem Description:

 Sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, 
 allows GSSAPI credentials to be delegated to clients who log in using
 non-GSSAPI methods, which could cause those credentials to be exposed 
 to untrusted users or hosts.
 
 GSSAPI is only enabled in versions of openssh shipped in LE2005 and
 greater.
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2798
 ______________________________________________________________________

 Updated Packages:
  
 Mandrivalinux 10.2:
 5b16f3323d58303c290bf4b8c4e2a4b3  10.2/RPMS/openssh-3.9p1-9.1.102mdk.i586.rpm
 2a7fca4e1c99008a53cb9498c1bd9840  10.2/RPMS/openssh-askpass-3.9p1-9.1.102mdk.i586.rpm
 65f397d175fb638d0e73912a7e9faa7d  10.2/RPMS/openssh-askpass-gnome-3.9p1-9.1.102mdk.i586.rpm
 2733baa7c0258da37920d66a7f1ee9d3  10.2/RPMS/openssh-clients-3.9p1-9.1.102mdk.i586.rpm
 a93cd3020e41bd6b25c3fa57ca8586f8  10.2/RPMS/openssh-server-3.9p1-9.1.102mdk.i586.rpm
 f90cfc307f313e14ddd919fc729f1984  10.2/SRPMS/openssh-3.9p1-9.1.102mdk.src.rpm

 Mandrivalinux 10.2/X86_64:
 545f0245578cee586f2ded4b3616061a  x86_64/10.2/RPMS/openssh-3.9p1-9.1.102mdk.x86_64.rpm
 98962ab477d7cc19338d04acdb462ec1  x86_64/10.2/RPMS/openssh-askpass-3.9p1-9.1.102mdk.x86_64.rpm
 0935a8dd00cdb2604e6fd37a6913cb91  x86_64/10.2/RPMS/openssh-askpass-gnome-3.9p1-9.1.102mdk.x86_64.rpm
 7c124895fc7fad47d1e88ee3ebe91daf  x86_64/10.2/RPMS/openssh-clients-3.9p1-9.1.102mdk.x86_64.rpm
 27bc59e934f3d196470611cc4e9dd430  x86_64/10.2/RPMS/openssh-server-3.9p1-9.1.102mdk.x86_64.rpm
 f90cfc307f313e14ddd919fc729f1984  x86_64/10.2/SRPMS/openssh-3.9p1-9.1.102mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDReVGmqjQ0CJFipgRAgi7AJoDZK/7jx9vTmuREYGwbuuHWPZBpgCeM6Nu
tKt935OPASf8jkciIGK6c2w=
=ekrb
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • MDKSA-2005:172 - Updated openssh packages fix GSSAPI credentials vulnerability Mandriva Security Team (Oct 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault