Slackware alert: New OpenSSH packages available

Posted by dave on Jun 26, 2002 12:45 PM EDT
Mailing list
Mail this story
Print this story

"While testing for Oracle vulnerabilities, Mark Litchfield discovered a denial of service attack for Apache on Windows. Investigation by the Apache Software Foundation showed that this issue has a wider scope, which on some platforms results in a denial of service vulnerability, while on some other platforms presents a potential a remote exploit vulnerability."

"While testing for Oracle vulnerabilities, Mark Litchfield discovered a
denial of service attack for Apache on Windows.  Investigation by the
Apache Software Foundation showed that this issue has a wider scope, which
on some platforms results in a denial of service vulnerability, while on
some other platforms presents a potential a remote exploit vulnerability."

The complete text of the Apache announcement may be found here: http://httpd.apache.org/info/security_bulletin_20020617.txt

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0392 to this issue: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392

SOLUTION --------

We recommend that sites providing external Apache access upgrade to the fixed Apache package as soon as possible. If you are using mod_ssl, you will also require an updated mod_ssl package. Updated packages have been prepared for Slackware 8.0 and 8.1.

WHERE TO FIND THE NEW PACKAGES: ------------------------------- Updated Apache package for Slackware 8.0: ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/apache.tgz

Updated Apache package for Slackware 8.1: ftp://ftp.slackware.com/pub/slackware/slackware-8.1/slackware/n/apache-1.3.26-i386-1.tgz

Updated mod_ssl package for Slackware 8.0: ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/mod_ssl.tgz

Updated mod_ssl package for Slackware 8.1: ftp://ftp.slackware.com/pub/slackware/slackware-8.1/slackware/n/mod_ssl-2.8.9_1.3.26-i386-1.tgz

MD5 SIGNATURE: --------------

Here are the md5sums for the packages:

Slackware 8.0: 69de43846c84209bc274ff5c1af554d6 apache.tgz ca09ade9fbcd66b2e6e2aa13906140d2 mod_ssl.tgz

Slackware 8.1: d92ba4c9a8b4afd589e274f394fa0e3c apache-1.3.26-i386-1.tgz 1ac6cd008bb22db99accacc8648efbf6 mod_ssl-2.8.9_1.3.26-i386-1.tgz

INSTALLATION INSTRUCTIONS: --------------------------

First, stop apache:

# apachectl stop

Next, upgrade the package(s):

# upgradepkg apache-1.3.26-i386-1.tgz # upgradepkg mod_ssl-2.8.9_1.3.26-i386-1.tgz

Then, restart apache:

# apachectl start

Remember, it's also a good idea to backup configuration files before upgrading packages.

- Slackware Linux Security Team http://www.slackware.com

+------------------------------------------------------------------------+ | HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back. Follow the instructions to | | complete the unsubscription. Do not reply to this message to | | unsubscribe! | +------------------------------------------------------------------------+

From owner-slackware-security@bob.slackware.com Wed Jun 26 13:45:49 2002 Received: (from daemon@localhost) by bob.slackware.com (8.11.6/8.11.6) id g5QKjn631503 for slackware-security-outgoing; Wed, 26 Jun 2002 13:45:49 -0700 Received: from localhost (security@localhost) by bob.slackware.com (8.11.6/8.11.6) with ESMTP id g5QKjmB31500 for <slackware-security@slackware.com>; Wed, 26 Jun 2002 13:45:48 -0700 Date: Wed, 26 Jun 2002 13:45:48 -0700 (PDT) From: Slackware Security Team <security@slackware.com> To: slackware-security@slackware.com Subject: [slackware-security] New OpenSSH packages available Message-ID: <Pine.LNX.4.21.0206261345220.31468-100000@bob.slackware.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-slackware-security@slackware.com Precedence: bulk Reply-To: Slackware Security Team <security@slackware.com> Status: RO

New OpenSSH 3.4p1 packages providing privilege separation for improved security are available for Slackware 7.1, 8.0, and 8.1. Here are the details from the Slackware 8.1 ChangeLog:

---------------------------- Wed Jun 26 12:03:06 PDT 2002 patches/packages/openssh-3.4p1-i386-1.tgz: Upgraded to openssh-3.4p1. This version enables privilege separation by default. The README.privsep file says this about it:

Privilege separation, or privsep, is method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege escalation by containing corruption to an unprivileged process. More information is available at: http://www.citi.umich.edu/u/provos/ssh/privsep.html

Note that ISS has released an advisory on OpenSSH (OpenSSH Remote Challenge Vulnerability). Slackware is not affected by this issue, as we have never included AUTH_BSD, S/KEY, or PAM. Unless at least one of these options is compiled into sshd, it is not vulnerable. Further note that none of these options are turned on in a default build from source code, so if you have built sshd yourself you should not be vulnerable unless you've enabled one of these options.

Regardless, the security provided by privsep is unquestionably better. This time we (Slackware) were lucky, but next time we might not be. Therefore we recommend that all sites running the OpenSSH daemon (sshd, enabled by default in Slackware 8.1) upgrade to this new openssh package. After upgrading the package, restart the daemon like this:

/etc/rc.d/rc.sshd restart

We would like to thank Theo and the rest of the OpenSSH team for their quick handling of this issue, Niels Provos and Markus Friedl for implementing privsep, and Solar Designer for working out issues with privsep on 2.2 Linux kernels. ----------------------------

The text of the ISS Advisory may be found here: http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.js...

WHERE TO FIND THE NEW PACKAGES: ------------------------------- Updated OpenSSH package for Slackware 8.1: ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssh-3.4p1-i386-1.tgz

Updated OpenSSH package for Slackware 8.0: ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/openssh.tgz

Updated OpenSSH package for Slackware 7.1: ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/openssh.tgz

MD5 SIGNATURES: ---------------

Here are the md5sums for the packages:

Slackware 8.1: bfd503d88144c62906deef4a1280f583 openssh-3.4p1-i386-1.tgz

Slackware 8.0: a88c387e5261dd9ac90b113e85d054ed openssh.tgz

Slackware 7.1: 416b8e06b181ab01a975958a893688b3 openssh.tgz

INSTALLATION INSTRUCTIONS: --------------------------

First upgrade the OpenSSH package:

# upgradepkg openssh-3.4p1-i386-1.tgz

Then, check the /etc/ssh/ directory where the new config files will be installed as ssh_config.new and sshd_config.new. Most sites will want to move these on top of the existing config files:

# mv ssh_config.new ssh_config # mv sshd_config.new sshd_config

Finally, restart the sshd daemon:

# . /etc/rc.d/rc.sshd restart

- Slackware Linux Security Team http://www.slackware.com

+------------------------------------------------------------------------+ | HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back. Follow the instructions to | | complete the unsubscription. Do not reply to this message to | | unsubscribe! | +------------------------------------------------------------------------+

  Nav
» Read more about: Story Type: Security; Groups: Slackware

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.