[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [linux-security] openssh pubkey bug

To: linux-security
Subject: Re: [linux-security] openssh pubkey bug
From: Martin Siegert <siegert@sfu.ca>
Date: Fri, 19 Oct 2001 16:12:05 -0700
In-Reply-To: <20011019124837.A20861@stikine.ucs.sfu.ca>; from siegert@sfu.ca on Fri, Oct 19, 2001 at 12:48:37PM -0700
References: <20011019124837.A20861@stikine.ucs.sfu.ca>
User-Agent: Mutt/1.2.5i

On Fri, Oct 19, 2001 at 12:48:37PM -0700, Martin Siegert wrote:
> Topic
> =====
> access restrictions can be bypassed in openssh.
> 
> RedHat 6.x
> ----------
> RedHat 6.x did not come with openssh. If you installed rpms provided at
> the openssh web site (www.openssh.com) or on sphinx in SFU's contrib directory
> for RedHat 6.2 (/vol/vol1/distrib/redhat/6.2/contrib), then your are
> almost certainly affected by this bug. New rpms have been provided on
> sphinx (these are rpms compiled for RH 6.2 that are equivalent to the
> RH 7.1 rpms (see below) that contain the patch). I would appreciate 
> if you would send me an email if you have problems with these rpms.
> Assuming that you have mounted the sphinx distribution at /mnt/redhat, e.g.,
> 
> mount -t nfs sphinx.sfu.ca:/vol/vol1/distrib/redhat/6.2 /mnt/redhat
> 
> you can install those rpms in the following way:
> 
> cd /mnt/redhat/contrib
> rpm -Fvh openssh-2.9p2-8.6.x.i386.rpm \
>          openssh-clients-2.9p2-8.6.x.i386.rpm \
>          openssh-server-2.9p2-8.6.x.i386.rpm \
>          openssh-askpass-2.9p2-8.6.x.i386.rpm \
>          openssh-askpass-gnome-2.9p2-8.6.x.i386.rpm

For those of you who have already tried to install the new openssh packages
for RH 6.2 from sphinx.sfu.ca:/vol/vol1/distrib/redhat/6.2/contrib:

Unfortunately, I built the rpms with the wrong version of the openssl
library, which has the effect that you can install the rpms, but you can't
use them. Sorry for that. I have now replaced the rpms with ones that are
built with the openssl library that comes with RH 6.2 (openssl-0.9.5a-7.6.x).
You must replace the just installed rpms with the new ones from
sphinx.sfu.ca:/vol/vol1/distrib/redhat/6.2/contrib. Since the new rpms
have the same version than the old ones you must force the installation:
To get a list of the installed rpms type:

# rpm -qa | grep openssh

and then update only the rpms shown with the follwoing command:

# rpm -Uvh --force <list of rpms>

E.g., 

# rpm -qa | grep openssh
openssh-2.9p2-8.6.x
openssh-clients-2.9p2-8.6.x
openssh-server-2.9p2-8.6.x

# rpm -Uvh --force openssh-2.9p2-8.6.x.i386.rpm openssh-clients-2.9p2-8.6.x.i386.rpm openssh-server-2.9p2-8.6.x.i386.rpm

For those of you who haven't upgraded yet everything remains the same as
described in the previous advisory.

========================================================================
Martin Siegert
Academic Computing Services                        phone: (604) 291-4691
Simon Fraser University                            fax:   (604) 291-4242
Burnaby, British Columbia                          email: siegert@sfu.ca
Canada  V5A 1S6
========================================================================

References:
- [linux-security] openssh pubkey bug
  - From: Martin Siegert <siegert@sfu.ca>
- [linux-security] openssh pubkey bug
  - From: Martin Siegert <siegert@sfu.ca>

Prev by Date: [linux-security] openssh pubkey bug
Next by Date: [linux-security] another local root exploit in the Linux kernel
Prev by thread: [linux-security] openssh pubkey bug
Next by thread: [linux-security] updated version of check-rpms
Index(es):
- Date
- Thread