Date:         Wed, 15 Nov 2000 11:02:00 -0600
From:         Bryan Paxton <bpaxton@SECURITYPORTAL.COM>
Subject:      LSLID:2000111504 - Trustix - bind and openssh (and modutils)
To:           LINUX-SECURITY@LISTSERV.SECURITYPORTAL.COM

LSLID:2000111504

Hi

Trustix has created updated packages for Trustix Secure Linux 1.0x and
1.1 that fixes one security problem and one DOS attack:

openssh, openssh-clients, openssh-server:

The openssh client does not enforce the "ForwardX11 no", and
"ForwardAgent no" configuration options, so that a malicious server
could force a client to forward these even if they are turned off.

The X11 forwarding part is not a big issue for Trustix Secure Linux, as
the OS does not have any X11. The agent forwarding could however be an
issue.

bind, bind-devel, bind-utils:

Fixes a DOS attack against the name daemon.  Note that TSL comes with
all network services turned off by default, and will thus only run named
on systems where this has been explicitly configured.  This DOS attack
has to do with zone transfers, and will therefore only be possible from
the servers configured slaves.

The modutils part is just to reassure that Trustix Secure Linux comes
with modutils version 2.1.121, which should not be susceptible to the
attacks seen in later versions.

MD5sums:
fdd14c09864e3deef43fe5e5bdabcf64  openssh-2.3.0p1-1tr.i586.rpm
06ede52d3461a98b3128a1bb181cf836  openssh-clients-2.3.0p1-1tr.i586.rpm
6b49cf18ac659591e8c1fa2c0c69125a  openssh-server-2.3.0p1-1tr.i586.rpm
81954383f8199dcf1c81806e2129d731  bind-8.2.2_P7-2tr.i586.rpm
133aeb6a90adc402cad2d2b597193d1c  bind-devel-8.2.2_P7-2tr.i586.rpm
13a81108e19c2560f98e31e337217659  bind-utils-8.2.2_P7-2tr.i586.rpm

Get the packages from:
http://www.trustix.net/download/Trustix/updates/1.1/RPMS/
or:
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/

Regards,

        Trustix Security Advisor