Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[USN-208-1] SSH server vulnerability
From: Martin Pitt <martin.pitt () canonical com>
Date: Mon, 17 Oct 2005 18:37:35 +0200

===========================================================
Ubuntu Security Notice USN-208-1           October 17, 2005
openssh vulnerability
CAN-2005-2798
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

openssh-server

The problem can be corrected by upgrading the affected package to
version 1:3.8.1p1-11ubuntu3.2 (for Ubuntu 4.10), or 1:3.9p1-1ubuntu2.1
(for Ubuntu 5.04).  In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

An information disclosure vulnerability has been found in the SSH
server. When the GSSAPIAuthentication option was enabled, the SSH
server could send GSSAPI credentials even to users who attempted to
log in with a method other than GSSAPI. This could inadvertently
expose these credentials to an untrusted user.

Please note that this does not affect the default configuration of the
SSH server.


Updated packages for Ubuntu 4.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.2.diff.gz
      Size/MD5:   145915 b3fde6ad57fa71c6fedd0d857a41b98d
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.2.dsc
      Size/MD5:      878 24b7a0d1b0bc1b12b4bfcdbe6523175f
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1.orig.tar.gz
      Size/MD5:   795948 9ce6f2fa5b2931ce2c4c25f3af9ad50d

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_3.8.1p1-11ubuntu3.2_all.deb
      Size/MD5:    30068 9ef84fcec461c2890a1623499383b845

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.8.1p1-11ubuntu3.2_amd64.udeb
      Size/MD5:   159440 464c3d1ddad5e743c3f87fab0801bd91
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.8.1p1-11ubuntu3.2_amd64.deb
      Size/MD5:   524028 51bda380ea97ef5d49d475b4d210fb6d
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.8.1p1-11ubuntu3.2_amd64.udeb
      Size/MD5:   176150 f0456146f631cb925407693de6c707ae
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.8.1p1-11ubuntu3.2_amd64.deb
      Size/MD5:   263790 a5014d5e2e28be860944fee7087c2d30
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-11ubuntu3.2_amd64.deb
      Size/MD5:    53286 933c38274907edc3033e5728beb8a7f0

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.8.1p1-11ubuntu3.2_i386.udeb
      Size/MD5:   133700 91e3983782270ba83ead5fdf75cf6056
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.8.1p1-11ubuntu3.2_i386.deb
      Size/MD5:   473980 57c5dd711cb4bba5af54b377ddf25727
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.8.1p1-11ubuntu3.2_i386.udeb
      Size/MD5:   146854 94bae5597a13d613d1a7fe6d34e8312c
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.8.1p1-11ubuntu3.2_i386.deb
      Size/MD5:   241586 3761cc46ab91630196103390b86d36f4
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-11ubuntu3.2_i386.deb
      Size/MD5:    52956 35adb2d5dafd2b25d0aaa73c87b8231c

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.8.1p1-11ubuntu3.2_powerpc.udeb
      Size/MD5:   151096 34eaad307c336ec22cdd062ab8343918
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.8.1p1-11ubuntu3.2_powerpc.deb
      Size/MD5:   520822 be831a5152a07823c8a3642de79c23c3
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.8.1p1-11ubuntu3.2_powerpc.udeb
      Size/MD5:   160176 aae5f5a422bc2086c78581b05f6eb71b
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.8.1p1-11ubuntu3.2_powerpc.deb
      Size/MD5:   257946 0960bfb03e1682d28086d5b11bc55f51
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-11ubuntu3.2_powerpc.deb
      Size/MD5:    54404 5729a05da0f88afe145a38ac80c92ae5

Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.1.diff.gz
      Size/MD5:   139063 63d2f62b292d2ac8baec90117878dbbd
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.1.dsc
      Size/MD5:      866 a4fce3d18d282f646942b15fb7a26915
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1.orig.tar.gz
      Size/MD5:   832804 530b1dcbfe7a4a4ce4959c0775b85a5a

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_3.9p1-1ubuntu2.1_all.deb
      Size/MD5:    30784 6c4ec282b6ad44325c9e4cb7e9f99133

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.1_amd64.udeb
      Size/MD5:   166004 ad72e257534bca3288a87f42da24321a
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.1_amd64.deb
      Size/MD5:   541790 5ea523c81b6d60f06aacba79cba0d1ca
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.1_amd64.udeb
      Size/MD5:   178906 e299cfe208e71c00ab70966fd45fc896
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.1_amd64.deb
      Size/MD5:   278618 06a33a10eae290df72a1bac94147ae91
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.1_amd64.deb
      Size/MD5:    62376 17d33928bfe3099328a580ff0049ad5a

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.1_i386.udeb
      Size/MD5:   138820 2f62cd70e9b0ae744fb648633b82e3f2
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.1_i386.deb
      Size/MD5:   490984 19aa2eee3bebb877825ca4cc56fc0a28
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.1_i386.udeb
      Size/MD5:   148848 dfe53e11807c424c82627519b54f50f0
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.1_i386.deb
      Size/MD5:   255490 cd0d1f2c1e542ce117aeb6f323f50f29
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.1_i386.deb
      Size/MD5:    61982 0c6e0e48f00a03bf8d578386ba2ecc67

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.1_powerpc.udeb
      Size/MD5:   157968 493980c3c33a672090dfbf1abbf3e373
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.1_powerpc.deb
      Size/MD5:   538048 05826f416d68106a2c43b8c292cf4173
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.1_powerpc.udeb
      Size/MD5:   163124 bb83628be05ff708f46af190ffad7700
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.1_powerpc.deb
      Size/MD5:   272738 40ae3f2b793802b5ad55f75d983354df
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.1_powerpc.deb
      Size/MD5:    63500 6c6daed8410fa8216e896f2c778f476c

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]