linux, säkerhet

6288048 2001-03-29 13:58 +0200  /74 rader/  <tsl@TRUSTIX.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-03-29  21:18  av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: tsl@TRUSTIX.COM
Mottagare: Bugtraq (import) <16218>
Ärende: Trustix Security Advisory #2001-0002 - OpenSSH
------------------------------------------------------------
From: tsl@TRUSTIX.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010329135825.B3378@thunder.trustix.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2001-0002

Package name:      OpenSSH
Severity:          Possible to determine password length
Date:              2001-03-29
Affected versions: TSL 1.01, 1.1, 1.2

- --------------------------------------------------------------------------

Problem description:
    From the release notes of Portable OpenSSH-2.5.2p2:
    Security related changes:
        Improved countermeasure against "Passive Analysis of SSH
        (Secure Shell) Traffic"
        http://openwall.com/advisories/OW-003-ssh-traffic-analysis.txt

        The countermeasures introduced in earlier OpenSSH-2.5.x
        versions caused interoperability problems with some other
        implementations.

        Improved countermeasure against "SSH protocol 1.5 session key
        recovery vulnerability"
        http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm


Action:
  We recommend all systems which has this package installed to be upgraded.

Location:
  All TSL updates are available from
  <URL:http://www.trusix.net/pub/Trustix/updates/>
  <URL:ftp://ftp.trusix.net/pub/Trustix/updates/>

Users of the SWUP tool, can enjoy having the security updates
automatically installed using 'swup --upgrade'.

Get SWUP from:
ftp://ftp.trustix.net/pub/Trustix/software/swup/


Questions?
Check out our mailinglists:
http://www.trustix.net/support/


Verification:
This advisory is signed with the TSL sign key.  It is available from:
http://www.trustix.net/TSL-GPG-KEY


Trustix Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6wyAzwRTcg4BxxS0RAodOAJ9G9BtOZaTpzYpbSkJDhXqKEn2ySwCfSXtq
52GvTRB1mSqAg+8difECgQk=
=MEis
-----END PGP SIGNATURE-----
--
Trustix Secure Linux Advisor
Homepage:           http://www.trustix.net/
Errata:             http://www.trustix.net/errata/
Automatic updates:  http://www.trustix.net/pub/Trustix/software/swup/
(6288048) / <tsl@TRUSTIX.COM>/------------(Ombruten)