[ESA-20020625-015] openssh: introduce privilege separation into sshd

From: EnGarde Secure Linux (securityat_private)
Date: Mon Jun 24 2002 - 23:27:30 PDT

  • Next message: Jedi/Sector One: "Apache mod_ssl off-by-one vulnerability" 

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory                   June 25, 2002 |
| http://www.engardelinux.org/                          ESA-20020625-015 |
|                                                                        |
| Package: openssh                                                       |
| Summary: introduce privilege separation into sshd.                     |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.

OVERVIEW
- --------
  Theo de Raadt announced the existence of an upcoming vulnerability in
  the OpenSSH secure shell daemon.  He also noted that versions of sshd
  with a new feature called "privilege separation" were immune to the
  attack (which he gave no details on).  Thus we were required to
  upgrade to OpenSSH 3.3p1, a major upgrade from versions we have shipped
  in the past.

  Below are some important notes for this update.

    * If you have not edited your /etc/ssh/sshd_config then a new one
      will be put in place which disables root logins over SSH.  The
      default behavior in EnGarde 1.0.1 was to permit root logins.

    * Theo made it clear that this version does not fix the upcoming
      vulnerability.  Proper updates will be made available when the
      issue is announced and fixed.

    * The new privilege separation code has a few bugs interacting with
      PAM and resource limits.

    * A new user and group (sshd) will be added.

    * This is a security update in addition to a major upgrade, so
      please report any problems you have to us via the engarde-users
      mailing list (or supportat_private for EnGarde Secure
      Professional users).

  For more information on privilege separation, please see:

    http://www.citi.umich.edu/u/provos/ssh/privsep.html

  The full text of Theo's announcement may be found at:

    http://www.linuxsecurity.com/articles/cryptography_article-5185.html

SOLUTION
- --------
  Users of the EnGarde Professional edition can use the Guardian Digital
  Secure Network to update their systems automatically.

  EnGarde Community users should upgrade to the most recent version
  as outlined in this advisory.  Updates may be obtained from:

    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
    http://ftp.engardelinux.org/pub/engarde/stable/updates/

  Before upgrading the package, the machine must either:

    a) be booted into a "standard" kernel; or
    b) have LIDS disabled.

  To disable LIDS, execute the command:

    # /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated package, execute the command:

    # rpm -Uvh file

  You must now update the LIDS configuration by executing the command:

    # /usr/sbin/config_lids.pl

  To re-enable LIDS (if it was disabled), execute the command:

    # /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signatures of the updated packages, execute the command:

    # rpm -Kv file

UPDATED PACKAGES
- ----------------
  These updated packages are for EnGarde Secure Linux Community
  Edition.

  Source Packages:

    SRPMS/openssh-3.3p1-1.0.20.src.rpm
      MD5 Sum: 0f9e0d131692a49b29fa6af9221d9e35

  Binary Packages:

    i386/openssh-3.3p1-1.0.20.i386.rpm
      MD5 Sum: d23e26a839a6a4db4de0096bffaef569

    i386/openssh-clients-3.3p1-1.0.20.i386.rpm
      MD5 Sum: bc0032917f4f4d2d350ab7069ff569cb

    i386/openssh-server-3.3p1-1.0.20.i386.rpm
      MD5 Sum: 2fbee870d2c12d3d6ed35ee5dc629fdf

    i686/openssh-3.3p1-1.0.20.i686.rpm
      MD5 Sum: 66ce0b136d443f58e670007ddfb3562c

    i686/openssh-clients-3.3p1-1.0.20.i686.rpm
      MD5 Sum: 78c0d016cff46e806da1f70c8fde8acf

    i686/openssh-server-3.3p1-1.0.20.i686.rpm
      MD5 Sum: 16c6e309892abe9a5a88e72846358a2f

REFERENCES
- ----------
  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  OpenSSH's Official Web Site:
    http://www.openssh.org/

  Security Contact:   securityat_private
  EnGarde Advisories: http://www.engardelinux.org/advisories.html

- --------------------------------------------------------------------------
$Id: ESA-20020625-015-openssh,v 1.2 2002/06/25 06:25:54 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryanat_private> 
Copyright 2002, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9GA1jHD5cqd57fu0RAlcbAKCct6KNAUPUCEtPkn46/dqmaz6qBACcC7OP
1XkWqqpockiPSdKRqDXbjb8=
=3GQ8
-----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 20:30:33 PDT