linux, säkerhet

8663118 2002-06-27 00:40 -0400  /166 rader/ White Vampire <whitevampire@mindless.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-06-29  06:02  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <22888>
Ärende: [slackware-security] New OpenSSH packages available
------------------------------------------------------------
From: White Vampire <whitevampire@mindless.com>
To: bugtraq@securityfocus.com
Message-ID: <20020627004004.D1999@lsd>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ----- Forwarded message from Slackware Security Team <security@slackware.com> -----

Return-Path: <owner-slackware-security@slackware.com>
Delivered-To: whitvamp@localhost
Received: (qmail 32199 invoked from network); 26 Jun 2002 22:35:58 -0000
Received: from unknown (HELO localhost) (127.0.0.1)
  by 127.0.0.1 with SMTP; 26 Jun 2002 22:35:58 -0000
Delivered-To: vampwhit@lilly.csoft.net
Received: from mail102.csoft.net [63.111.26.110]
	by localhost with POP3 (fetchmail-5.8.3)
	for whitvamp@localhost (single-drop); Wed, 26 Jun 2002
18:35:58 -0400 (EDT) Received: (qmail 58313 invoked from network); 26
Jun 2002 22:34:32 -0000 Received: from 205-158-62-72.outblaze.com
(HELO spf10.us4.outblaze.com) (205.158.62.72)
  by mail102.csoft.net with SMTP; 26 Jun 2002 22:34:32 -0000
Received: from bob.slackware.com (slackware.com [207.173.11.34])
	by spf10.us4.outblaze.com (8.12.4/8.12.4) with ESMTP id g5QMW9gr049040
	for <whitevampire@mindless.com>; Wed, 26 Jun 2002 22:32:09 GMT
Received: (from daemon@localhost)
	by bob.slackware.com (8.11.6/8.11.6) id g5QKjn631503
	for slackware-security-outgoing; Wed, 26 Jun 2002 13:45:49 -0700
Received: from localhost (security@localhost)
	by bob.slackware.com (8.11.6/8.11.6) with ESMTP id g5QKjmB31500
	for <slackware-security@slackware.com>; Wed, 26 Jun 2002
13:45:48 -0700 Date: Wed, 26 Jun 2002 13:45:48 -0700 (PDT) From:
Slackware Security Team <security@slackware.com> To:
slackware-security@slackware.com Subject: [slackware-security] New
OpenSSH packages available Message-ID:
<Pine.LNX.4.21.0206261345220.31468-100000@bob.slackware.com>
MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender:
owner-slackware-security@slackware.com Precedence: bulk Reply-To:
Slackware Security Team <security@slackware.com>


New OpenSSH 3.4p1 packages providing privilege separation for improved
security are available for Slackware 7.1, 8.0, and 8.1.  Here are the
details from the Slackware 8.1 ChangeLog:

- ----------------------------
Wed Jun 26 12:03:06 PDT 2002
patches/packages/openssh-3.4p1-i386-1.tgz:  Upgraded to openssh-3.4p1.
  This version enables privilege separation by default.  The
  README.privsep file says this about it:

     Privilege separation, or privsep, is method in OpenSSH by which
     operations that require root privilege are performed by a separate
     privileged monitor process.  Its purpose is to prevent privilege
     escalation by containing corruption to an unprivileged process.  More
     information is available at:
       http://www.citi.umich.edu/u/provos/ssh/privsep.html

  Note that ISS has released an advisory on OpenSSH (OpenSSH Remote
  Challenge Vulnerability).  Slackware is not affected by this issue,
  as we have never included AUTH_BSD, S/KEY, or PAM.  Unless at least
  one of  these options is compiled into sshd, it is not vulnerable.
  Further note that none of these options are turned on in a default
  build from source code, so if you have built sshd yourself you
  should not be vulnerable unless you've enabled one of these options.

  Regardless, the security provided by privsep is unquestionably
  better.  This time we (Slackware) were lucky, but next time we
  might not be.  Therefore we recommend that all sites running the
  OpenSSH daemon (sshd, enabled by default in Slackware 8.1) upgrade
  to this new openssh package.  After upgrading the package, restart
  the daemon like this:

  /etc/rc.d/rc.sshd restart

  We would like to thank Theo and the rest of the OpenSSH team for
  their quick handling of this issue, Niels Provos and Markus Friedl
  for  implementing privsep, and Solar Designer for working out
  issues with
  privsep on 2.2 Linux kernels.
- ----------------------------

The text of the ISS Advisory may be found here:
  http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584


WHERE TO FIND THE NEW PACKAGES:
- -------------------------------
Updated OpenSSH package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssh-3.4p1-i386-1.tgz

Updated OpenSSH package for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/openssh.tgz

Updated OpenSSH package for Slackware 7.1:
ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/openssh.tgz


MD5 SIGNATURES:
- ---------------

Here are the md5sums for the packages:

Slackware 8.1:
bfd503d88144c62906deef4a1280f583  openssh-3.4p1-i386-1.tgz

Slackware 8.0:
a88c387e5261dd9ac90b113e85d054ed  openssh.tgz

Slackware 7.1:
416b8e06b181ab01a975958a893688b3  openssh.tgz


INSTALLATION INSTRUCTIONS:
- --------------------------

First upgrade the OpenSSH package:

   # upgradepkg openssh-3.4p1-i386-1.tgz

Then, check the /etc/ssh/ directory where the new config files will be
installed as ssh_config.new and sshd_config.new.  Most sites will want
to move these on top of the existing config files:

   # mv ssh_config.new ssh_config
   # mv sshd_config.new sshd_config

Finally, restart the sshd daemon:

   # . /etc/rc.d/rc.sshd restart


- - Slackware Linux Security Team
  http://www.slackware.com


+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back.  Follow the instructions to  |
| complete the unsubscription.  Do not reply to this message to          |
| unsubscribe!                                                           |
+------------------------------------------------------------------------+



- ----- End forwarded message -----

- -- 
\   | \  /  White Vampire\Rem                |  http://gammaforce.org/
 \|\|  \/   whitevampire@mindless.com        |  http://gammagear.com/
"Silly hacker, root is for administrators."  |  http://webfringe.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (GNU/Linux)

iD8DBQE9Gpck3+rxmnEDyl8RAvLsAJ49lr5w9jWucEd/3zWMysv2yfj/vACfTTlX
ebWzoXoRVmTVsiLja5+MSWQ=
=RqhO
-----END PGP SIGNATURE-----
(8663118) /White Vampire <whitevampire@mindless.com>/(Ombruten)