[Full-Disclosure] [RHSA-2003:222-01] Updated openssh packages available

From: bugzillaat_private
Date: Tue Jul 29 2003 - 10:14:48 PDT

  • Next message: Conectiva Updates: "[CLA-2003:713] Conectiva Security Announcement - perl" 

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated openssh packages available
Advisory ID:       RHSA-2003:222-01
Issue date:        2003-07-29
Updated on:        2003-07-29
Product:           Red Hat Linux
Keywords:          openssh pam timing information leak
Cross references:  
Obsoletes:         RHSA-2002:127
CVE Names:         CAN-2003-0190
- ---------------------------------------------------------------------

1. Topic:

Updated OpenSSH packages are now available.  These updates close an
information leak caused by sshd's interaction with the PAM system.

2. Relevant releases/architectures:

Red Hat Linux 7.1 - i386
Red Hat Linux 7.1 for iSeries (64 bit) - ppc
Red Hat Linux 7.1 for pSeries (64 bit) - ppc
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386
Red Hat Linux 9 - i386

3. Problem description:

OpenSSH is a suite of network connectivity tools that can be used to
establish encrypted connections between systems on a network and can
provide interactive login sessions and port forwarding, among other functions.

When configured to allow password-based or challenge-response
authentication, sshd (the OpenSSH server) uses PAM (Pluggable
Authentication Modules) to verify the user's password.  Under certain
conditions, OpenSSH versions prior to 3.6.1p1 reject an invalid
authentication attempt without first attempting authentication using PAM.

If PAM is configured with its default failure delay, the amount of time
sshd takes to reject an invalid authentication request varies widely enough
that the timing variations could be used to deduce whether or not an
account with a specified name existed on the server.  This information
could then be used to narrow the focus of an attack against some other
system component.

These updates contain backported fixes that cause sshd to always attempt
PAM authentication when performing password and challenge-response
authentication for clients.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. RPMs required:

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/openssh-3.1p1-7.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/openssh-3.1p1-7.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssh-clients-3.1p1-7.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssh-server-3.1p1-7.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssh-askpass-3.1p1-7.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssh-askpass-gnome-3.1p1-7.i386.rpm

Red Hat Linux 7.1 for iSeries (64 bit):

SRPMS:
ftp://updates.redhat.com/7.1/en/os/iSeries/SRPMS/openssh-3.1p1-7.src.rpm

ppc:
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-3.1p1-7.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-clients-3.1p1-7.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-server-3.1p1-7.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-askpass-3.1p1-7.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-askpass-gnome-3.1p1-7.ppc.rpm

Red Hat Linux 7.1 for pSeries (64 bit):

SRPMS:
ftp://updates.redhat.com/7.1/en/os/pSeries/SRPMS/openssh-3.1p1-7.src.rpm

ppc:
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-3.1p1-7.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-clients-3.1p1-7.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-server-3.1p1-7.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-askpass-3.1p1-7.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-askpass-gnome-3.1p1-7.ppc.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/openssh-3.1p1-8.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/openssh-3.1p1-8.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssh-clients-3.1p1-8.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssh-server-3.1p1-8.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssh-askpass-3.1p1-8.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssh-askpass-gnome-3.1p1-8.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/openssh-3.1p1-8.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssh-clients-3.1p1-8.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssh-server-3.1p1-8.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssh-askpass-3.1p1-8.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssh-askpass-gnome-3.1p1-8.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/openssh-3.1p1-8.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/openssh-3.1p1-8.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssh-clients-3.1p1-8.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssh-server-3.1p1-8.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssh-askpass-3.1p1-8.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssh-askpass-gnome-3.1p1-8.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/openssh-3.4p1-4.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/openssh-3.4p1-4.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/openssh-clients-3.4p1-4.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/openssh-server-3.4p1-4.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/openssh-askpass-3.4p1-4.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/openssh-askpass-gnome-3.4p1-4.i386.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/openssh-3.5p1-6.9.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/openssh-3.5p1-6.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/openssh-clients-3.5p1-6.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/openssh-server-3.5p1-6.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/openssh-askpass-3.5p1-6.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/openssh-askpass-gnome-3.5p1-6.9.i386.rpm



6. Verification:

MD5 sum                          Package Name
- --------------------------------------------------------------------------
bfbd152a2069230041ff1298b0562061 7.1/en/os/SRPMS/openssh-3.1p1-7.src.rpm
48c37500a4c7984673878edbef7e9cde 7.1/en/os/i386/openssh-3.1p1-7.i386.rpm
3f59bffd703bac24632f4e34e2beed22 7.1/en/os/i386/openssh-askpass-3.1p1-7.i386.rpm
def478c5b3f97af908e3cb4d8306662b 7.1/en/os/i386/openssh-askpass-gnome-3.1p1-7.i386.rpm
e9947146ea766572cbd9457f320a4f06 7.1/en/os/i386/openssh-clients-3.1p1-7.i386.rpm
879cbb50923935cebf20b39578dc8eed 7.1/en/os/i386/openssh-server-3.1p1-7.i386.rpm
bfbd152a2069230041ff1298b0562061 7.1/en/os/iSeries/SRPMS/openssh-3.1p1-7.src.rpm
7c8aa13e79e6c856181852de76c86722 7.1/en/os/iSeries/ppc/openssh-3.1p1-7.ppc.rpm
b1a591c23d345fd96f2d0fab2eb958be 7.1/en/os/iSeries/ppc/openssh-askpass-3.1p1-7.ppc.rpm
ae6d48792fea701e75b114333babe37c 7.1/en/os/iSeries/ppc/openssh-askpass-gnome-3.1p1-7.ppc.rpm
f7ee0ce5cefe22043828863da06ce331 7.1/en/os/iSeries/ppc/openssh-clients-3.1p1-7.ppc.rpm
d9f993c8fa47ec3956f5e1e3c6f176d5 7.1/en/os/iSeries/ppc/openssh-server-3.1p1-7.ppc.rpm
bfbd152a2069230041ff1298b0562061 7.1/en/os/pSeries/SRPMS/openssh-3.1p1-7.src.rpm
7c8aa13e79e6c856181852de76c86722 7.1/en/os/pSeries/ppc/openssh-3.1p1-7.ppc.rpm
b1a591c23d345fd96f2d0fab2eb958be 7.1/en/os/pSeries/ppc/openssh-askpass-3.1p1-7.ppc.rpm
ae6d48792fea701e75b114333babe37c 7.1/en/os/pSeries/ppc/openssh-askpass-gnome-3.1p1-7.ppc.rpm
f7ee0ce5cefe22043828863da06ce331 7.1/en/os/pSeries/ppc/openssh-clients-3.1p1-7.ppc.rpm
d9f993c8fa47ec3956f5e1e3c6f176d5 7.1/en/os/pSeries/ppc/openssh-server-3.1p1-7.ppc.rpm
22f17a835f12a4131a21487d5ee3dec6 7.2/en/os/SRPMS/openssh-3.1p1-8.src.rpm
013694ec0e839f077e7980d9cebfa277 7.2/en/os/i386/openssh-3.1p1-8.i386.rpm
a942a051510a5a0aa34b0774d6eb8ee0 7.2/en/os/i386/openssh-askpass-3.1p1-8.i386.rpm
de35a67fa21ec478aff57ce5c830f84e 7.2/en/os/i386/openssh-askpass-gnome-3.1p1-8.i386.rpm
8c9d37f46f76093eccea80571d687d46 7.2/en/os/i386/openssh-clients-3.1p1-8.i386.rpm
42ec08d8633862da9c988524fecdafbb 7.2/en/os/i386/openssh-server-3.1p1-8.i386.rpm
d9441bbe925832b82766b8140fb4bb77 7.2/en/os/ia64/openssh-3.1p1-8.ia64.rpm
58765b526317e03dcf9371d9b225fa68 7.2/en/os/ia64/openssh-askpass-3.1p1-8.ia64.rpm
46b8de0e5072ff7ee614c7e5dfc536b9 7.2/en/os/ia64/openssh-askpass-gnome-3.1p1-8.ia64.rpm
1e95e8ca735b971bcb1a1824becaa582 7.2/en/os/ia64/openssh-clients-3.1p1-8.ia64.rpm
8ae51f6f0116f60fd29545b4f9560613 7.2/en/os/ia64/openssh-server-3.1p1-8.ia64.rpm
22f17a835f12a4131a21487d5ee3dec6 7.3/en/os/SRPMS/openssh-3.1p1-8.src.rpm
013694ec0e839f077e7980d9cebfa277 7.3/en/os/i386/openssh-3.1p1-8.i386.rpm
a942a051510a5a0aa34b0774d6eb8ee0 7.3/en/os/i386/openssh-askpass-3.1p1-8.i386.rpm
de35a67fa21ec478aff57ce5c830f84e 7.3/en/os/i386/openssh-askpass-gnome-3.1p1-8.i386.rpm
8c9d37f46f76093eccea80571d687d46 7.3/en/os/i386/openssh-clients-3.1p1-8.i386.rpm
42ec08d8633862da9c988524fecdafbb 7.3/en/os/i386/openssh-server-3.1p1-8.i386.rpm
81ed2140e12f15e4518fc2fe3aef10eb 8.0/en/os/SRPMS/openssh-3.4p1-4.src.rpm
d625e5b2eca982b5b92ac0862eae1b73 8.0/en/os/i386/openssh-3.4p1-4.i386.rpm
34e91b60c3b5296c8e5185d5cf832013 8.0/en/os/i386/openssh-askpass-3.4p1-4.i386.rpm
536394cfe9c2b3068580269b346f6c1f 8.0/en/os/i386/openssh-askpass-gnome-3.4p1-4.i386.rpm
ce583ee467532c9af9b9482cc90cd375 8.0/en/os/i386/openssh-clients-3.4p1-4.i386.rpm
a81ee000ffc59c3f210fb4f08a02f2a7 8.0/en/os/i386/openssh-server-3.4p1-4.i386.rpm
321f50363605e1976cc19b7ceacf6d26 9/en/os/SRPMS/openssh-3.5p1-6.9.src.rpm
71613a13c1e40faa16f9a01fabf0e8b3 9/en/os/i386/openssh-3.5p1-6.9.i386.rpm
7b70f6b671b87385646d382115974724 9/en/os/i386/openssh-askpass-3.5p1-6.9.i386.rpm
9a8d60a683b055feba9855db74467fff 9/en/os/i386/openssh-askpass-gnome-3.5p1-6.9.i386.rpm
5c18b658c8bed7c434d8d9f142a95e7f 9/en/os/i386/openssh-clients-3.5p1-6.9.i386.rpm
3971445a5ee73f5c8b7fdc022b0432e8 9/en/os/i386/openssh-server-3.5p1-6.9.i386.rpm


These packages are GPG signed by Red Hat for security.  Our key is
available from http://www.redhat.com/security/keys.html

You can verify each package with the following command:
    
    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    
    md5sum <filename>


7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190

8. Contact:

The Red Hat security contact is <secalertat_private>.  More contact
details at http://www.redhat.com/solutions/security/news/contact.html

Copyright 2003 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD4DBQE/JqtfXlSAg2UNWIIRArN1AJj2J4983TGK0tX2JtuvVnRMan4PAJ9+aGuz
eCjkS4HgrwVgCiekk+e+zg==
=8jD6
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

    This archive was generated by hypermail 2b30 : Tue Jul 29 2003 - 10:58:48 PDT