SuSE distributions contain the ssh package in the version 1.2.27. No later version is provided because of licensing issues. SuSE maintains the 1.2.27 version in a patched package. Three new patches have been added that workaround three independent security problems in the ssh package: a) SSHD-1 Logging Vulnerability (discovered and published by Jose Nazario, Crimelabs). Attackers can remotely brute-force passwords without getting noticed or logged. In the ssh package from the SuSE distribution, root login is allowed, as well as password authentication. Even though brute-forcing a password may take an enormous amount of time and resources, the issue is to be taken seriously. b) SSH1 session key recovery vulnerability (by (Ariel Waissbein, Agustin Azubel) - CORE SDI, Argentina, and David Bleichenbacher). Captured encrypted ssh traffic can be decrypted with some effort by obtaining the session key for the ssh session. The added patch in our package causes the ssh daemon to generate a new server key pair upon failure of an RSA operation (please note that the patch supplied with Iván Arce on bugtraq on Wed, 7 Feb 2001 has been corrected later on!). c) In 1998, the ssh-1 protocol was found to be vulnerable to an attack where arbitrary sequences could be inserted into the ssh-1 protocol layer. The attack was called "crc32 compensation attack", and a fix was introduced (crc compensation attack detector in the ssh -v output) into the later versions of ssh. Michal Zalewski discovered that the fix in its most widely used implementation is defective. An integer overflow allows an attacker to overwrite arbitrary memory in the sshd process' address space, which potentionally results in a remote root compromise. There are easy resorts that can be offered: a) switch to openssh (please use the openssh packages on http://ftp.suse.com from the same update directories as the ssh package update URLs below indicate). openssh is a different implementation of the ssh protocol that is compatible to the protocol versions 1 and 2. Openssh Version 2.3.0 does not suffer from the problems listed above. Versions before 2.3.0 are vulnerable to other problems, so please use the updates from the update directory on the http://ftp.suse.de ftp server. See section 2) of this announcement for the md5sums of the packages. b) upgrade your ssh package from the locations described below.
Several people have noted a number of problems in several components of the X Window System sample implementation (from which XFree86 is derived). Please read DSA 030-1 for a detailed description.
Chris Evans, Joseph S. Myers, Michal Zalewski, Alan Cox, and others have noted a number of problems in several components of the X Window System sample implementation (from which XFree86 is derived). While there are no known reports of real-world malicious exploits of any of these problems, it is nevertheless suggested that you upgrade your XFree86 packages immediately.
The following problems have been reported for the version of proftpd in Debian 2.2 (potato):
Styx has reported that the program `man' mistakenly passes malicious strings (i.e. containing format characters) through routines that were not meant to use them as format strings. Since this could cause a segmentation fault and privileges were not dropped it may lead to an exploit for the 'man' user.
This upload fixes:
Three security holes fixed in new kernel, and several other updates and bug fixes have been applied as well.
The XEmacs package as shipped with Red Hat PowerTools 6.2 has a security problem with gnuserv and gnuclient, due to a buffer overflow and weak security.
The XEmacs package as shipped with Red Hat Linux 7 has a security problem with gnuserv and gnuclient.
bind-8.x in all versions of the SuSE distributions contain a bug in the transaction signature handling code that can allow to remotely over- flow a buffer and thereby execute arbitrary code as the user running the nameserver (this is user named by default on SuSE systems). In addition to this bug, another problem allows for a remote attacker to collect information about the running bind process (this has been found by Claudio Musmarra <email@example.com>). For more information on these bugs, please visit the CERT webpage at http://www.cert.org/advisories/CA-2001-02.html and the bind bugs webpage at http://www.isc.org/products/BIND/bind-security.html .
The inetd server as shipped with Red Hat Linux 6.2 fails to close sockets for internal services properly.
kdesu is a KDE frontend for su(1). When invoked it prompts for the root password and runs su(1). kdesu itself does not run setuid/setgid.
Several security problems have been found in the bind 8.
BIND 8 suffered from several buffer overflows. It is possible to construct an inverse query that allows the stack to be read remotely exposing environment variables. CERT has disclosed information about these issues. A new upstream version fixes this. Due to the complexity of BIND we have decided to make an exception to our rule by releasin the new upstream source to our stable distribution.
Multiple vulnerabilities exist in the versions of BIND found in Slackware 7.1 and -current. Users of BIND 8.x are urged to upgrade to 8.2.3 to fix these problems. More information can be found on the BIND website:
A former security upload of OpenSSH was linked against the wrong version of libssl (providing an API to SSL), that version was not available on sparc. This ought to fix a former upload that lacked support for PAM which lead into people not being able to log in into their server. This was only a problem on the sparc architecture.
A former security upload of OpenSSH lacked support for PAM which lead into people not being able to log in into their server. This was only a problem on the sparc architecture.
The FreeBSD team has found a bug in the way new crontabs were handled which allowed malicious users to display arbitrary crontab files on the local system. This only affects valid crontab files so can't be used to get access to /etc/shadow or something. crontab files are not especially secure anyway, as there are other ways they can leak. No passwords or similar sensitive data should be in there.
1. People at WireX have found several potential insecure uses of temporary files in programs provided by INN2. Some of them only lead to a vulnerability to symlink attacks if the temporary directory was set to /tmp or /var/tmp, which is the case in many installations, at least in Debian packages. An attacker could overwrite any file owned by the news system administrator, i.e. owned by news.news.
Former versions of the exmh program used /tmp for storing temporary files. No checks were made to ensure that nobody placed a symlink with the same name in /tmp in the meantime and thus was vulnerable to a symlink attack. This could lead to a malicious local user being able to overwrite any file writable by the user executing exmh. Upstream developers have reported and fixed this. The exmh program now use /tmp/login now unless TMPDIR or EXMHTMPDIR is set.