From: Trustix Secure Linux Advisor <tsl@trustix.com>
To: tsl-announce@trustix.org
Subject: TSL-2001-0030 - openssh (updated)
Date: Thu, 20 Dec 2001 17:47:32 +0100
Cc: bugtraq@securityfocus.com
Note to moderator: We had an error in the first packages created. This is
effectively the same advisory as the previous almost identical one, but the
MD5 sums are changed. Sorry.
Erlend··
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2001-0030
Package name: OpenSSH
Severity: Local root exploit if UseLogin option enabled
Date: 2001-12-19
Affected versions: TSL 1.01, 1.1, 1.2, 1.5
- --------------------------------------------------------------------------
Problem description:
A malicious local user can pass environment variables to the login
process if the administrator enables the UseLogin option. This can
be abused to bypass authentication and gain root access.
Note that this option is not enabled by default on TSL.
Updated:
There was a file conflict in the packages in the original advisory.
Packages are now fixed, and the MD5 sum is updated.
Action:
We recommend that all systems with this package installed are upgraded.
Location:
All TSL updates are available from
<URI:http://www.trustix.net/pub/Trustix/updates/>
<URI:ftp://ftp.trustix.net/pub/Trustix/updates/>
Automatic updates:
Users of the SWUP tool, can enjoy having updates automatically
installed using 'swup --upgrade'.
Get SWUP from:
<URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>
Questions?
Check out our mailing lists:
<URI:http://www.trustix.net/support/>
Verification:
This advisory along with all TSL packages are signed with the TSL sign key.
This key available from:
<URI:http://www.trustix.net/TSL-GPG-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.net/errata/trustix-1.2/> and
<URI:http://www.trustix.net/errata/trustix-1.5/>
or directly at
<URI:http://www.trustix.net/errata/misc/2001/TSL-2001-0030-openssh.asc.txt>
MD5sums of the packages:
- --------------------------------------------------------------------------
ca264cee029f32e7d91a879ae6d5983b ./1.5/SRPMS/openssh-3.0.2p1-2tr.src.rpm
ba39a570c1681e0a90d288e0b0dadc72 ./1.5/RPMS/openssh-server-3.0.2p1-2tr.i586.rpm
069a436c78fc76137ff40c33eb8008ac ./1.5/RPMS/openssh-clients-3.0.2p1-2tr.i586.rpm
599cffe859ce5baa8db1e0b8b07251dd ./1.5/RPMS/openssh-3.0.2p1-2tr.i586.rpm
ca264cee029f32e7d91a879ae6d5983b ./1.2/SRPMS/openssh-3.0.2p1-2tr.src.rpm
61f3e140c4b161a210ec6634b662c8bc ./1.2/RPMS/openssh-server-3.0.2p1-2tr.i586.rpm
9c65dfdc3047d109448020a8505bc3c1 ./1.2/RPMS/openssh-clients-3.0.2p1-2tr.i586.rpm
6f532429e948a93cea48a7f28d1fbd54 ./1.2/RPMS/openssh-3.0.2p1-2tr.i586.rpm
ca264cee029f32e7d91a879ae6d5983b ./1.1/SRPMS/openssh-3.0.2p1-2tr.src.rpm
76cfc275b6aa5af4239dbcf0e7dc9424 ./1.1/RPMS/openssh-server-3.0.2p1-2tr.i586.rpm
295f6aca056e79f70469ed1bfd98fbba ./1.1/RPMS/openssh-clients-3.0.2p1-2tr.i586.rpm
5aec4ff6dc5d9e3f2d6c990956e15c4f ./1.1/RPMS/openssh-3.0.2p1-2tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8IhSqwRTcg4BxxS0RAjq/AJ4mBvh5PUUnhJ3N1UnotXujGCppoACeI1V1
6TdIChmxh256yrndQzDnaUI=
=0LWF
-----END PGP SIGNATURE-----
_______________________________________________
tsl-announce mailing list
tsl-announce@trustix.org
http://www.trustix.org/mailman/listinfo.cgi/tsl-announce