From: Eridani Star System <linux@eridani.co.uk>
To: eridani-announce@eridani.co.uk
Subject: [Eridani-Announce] ERISA-2002:007 - openssh channel code bug
Date: Thu, 7 Mar 2002 19:55:13 +0000 (GMT)
=========================================================================
ERIDANI LINUX - SECURITY ANNOUNCEMENT
=========================================================================
Package: openssh
Summary: "Off by one" channel code bug; root exploit
Date: 2002-03-07
ID: ERISA-2002:007
=========================================================================
Problem description:
A bug exists in the channel code of OpenSSH versions 2.0 - 3.0.2
Users with an existing account on a machine can make use of this bug
to gain root privileges. Exploiting this bug without an existing
user account has not yet been proved but is not believed to be
impossible. A maliciously modified ssh server could also use this bug
to exploit a connecting vulnerable client.
-------------------------------------------------------------------------
Updated packages:
d1cd7d4b731e9cb9449c0e2a84d46eb9 openssh-3.0.2p1-2.src.rpm
481a2004413f7378a149e6306eb6a7a5 openssh-3.0.2p1-2.i386.rpm
9383dcd91ed52aed11430399f4f8e7c2 openssh-askpass-3.0.2p1-2.i386.rpm
dd3962d013372b9a9f9730103c203d48 openssh-askpass-gnome-3.0.2p1-2.i386.rpm
ba33a45a9908a6ebcce3f7df9d27a5f9 openssh-clients-3.0.2p1-2.i386.rpm
5707f79596d94dee0508b431e491869e openssh-server-3.0.2p1-2.i386.rpm
-------------------------------------------------------------------------
References:
http://www.pine.nl/advisories/pine-cert-20020301.txt
=========================================================================
Packages available from ftp://ftp.eridani.co.uk/pub/Aeryn/
or by HTTP from http://ftp.eridani.co.uk/
Packages are signed with our GNU GPG key, also on our FTP site.
Users of releases of Eridani Linux prior to 6.3 are advised to download
the source RPM and rebuild for their system.
Copyright (C)2002 Eridani Star System
-- Michael "Soruk" McConnell http://www.eridani.co.uk
Eridani Linux -- The Most Up-to-Date Red Hat-based Linux CDROMs Available
Email: linux@eridani.co.uk -- Also Debian, Slackware, Mandrake and more...
_______________________________________________
Eridani-Announce mailing list
To be removed from this list email linux@eridani.co.uk requesting removal.