[LON-CAPA-admin] openssh security holes
Martin Siegert
siegert at sfu.ca
Fri Jun 28 15:49:51 EDT 2002
Hi,
As already mentioned on this list there are two security holes in
openssh:
1) in the challenge response authentication code; affected versions:
2.9.9 to 3.3 inclusively
2) in the pam interactive keyboard authentication code: affected versions:
2.3.1 to 3.3 inclusively
RedHat just released new RPMs for RH 7.x that are patched against both
vulnerabilites (openssh-3.1p1-5 for RH 7.0 and 7.1 and openssh-3.1p1-6
for RH 7.2 and 7.3).
Since those RPMs cannot be used for RedHat 6.x because they are incompatible
with openssl-0.9.5a used under RedHat 6.x. I patched openssh-2.9p2 against
vulnerability 2 (and all other previously published security holes) and made
the RPMs available at
http://www.sfu.ca/acs/ssh/ssh_linux.html
(the version is openssh-2.9p2-14.6.x)
Upgrade with
rpm -Fvh openssh-2.9p2-14.6.x.i386.rpm \
openssh-clients-2.9p2-14.6.x.i386.rpm \
openssh-server-2.9p2-14.6.x.i386.rpm \
openssh-askpass-2.9p2-14.6.x.i386.rpm \
openssh-askpass-gnome-2.9p2-14.6.x.i386.rpm
For more details on the vulnerability see the corresponding CERT advisory
or http://www.sfu.ca/~siegert/linux-security/msg00125.html
I hope this helps.
Happy Canada Day! :-)
Cheers,
Martin
========================================================================
Martin Siegert
Academic Computing Services phone: (604) 291-4691
Simon Fraser University fax: (604) 291-4242
Burnaby, British Columbia email: siegert at sfu.ca
Canada V5A 1S6
========================================================================
More information about the LON-CAPA-admin
mailing list