OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 06-Aug-2003 15:07:51
Branch: HEAD Handle: 2003080614075000
Added files:
openpkg-web/security OpenPKG-SA-2003.035-openssh.txt
Modified files:
openpkg-web security.txt security.wml
Log:
OpenPKG-SA-2003.035-openssh; CAN-2003-0190
Summary:
Revision Changes Path
1.41 +1 -0 openpkg-web/security.txt
1.59 +1 -0 openpkg-web/security.wml
1.1 +80 -0 openpkg-web/security/OpenPKG-SA-2003.035-openssh.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security.txt
============================================================================
$ cvs diff -u -r1.40 -r1.41 security.txt
--- openpkg-web/security.txt 10 Jul 2003 14:22:48 -0000 1.40
+++ openpkg-web/security.txt 6 Aug 2003 13:07:50 -0000 1.41
@@ -1,3 +1,4 @@
+06-Aug-2003: Security Advisory: S<OpenPKG-SA-2003.035-openssh>
10-Jul-2003: Security Advisory: S<OpenPKG-SA-2003.034-imagemagick>
10-Jul-2003: Security Advisory: S<OpenPKG-SA-2003.033-infozip>
07-Jul-2003: Security Advisory: S<OpenPKG-SA-2003.032-php>
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security.wml
============================================================================
$ cvs diff -u -r1.58 -r1.59 security.wml
--- openpkg-web/security.wml 5 Aug 2003 08:47:06 -0000 1.58
+++ openpkg-web/security.wml 6 Aug 2003 13:07:50 -0000 1.59
@@ -76,6 +76,7 @@
</define-tag>
<box bdwidth=1 bdcolor="#a5a095" bdspace=10 bgcolor="#e5e0d5">
<table cellspacing=0 cellpadding=0 border=0>
+ <sa 2003.035 openssh>
<sa 2003.034 imagemagick>
<sa 2003.033 infozip>
<sa 2003.032 php>
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.035-openssh.txt
============================================================================
$ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.035-openssh.txt
--- /dev/null 2003-08-06 15:07:51.000000000 +0200
+++ OpenPKG-SA-2003.035-openssh.txt 2003-08-06 15:07:51.000000000 +0200
@@ -0,0 +1,80 @@
+________________________________________________________________________
+
+OpenPKG Security Advisory The OpenPKG Project
+http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
+OpenPKG-SA-2003.035 06-Aug-2003
+________________________________________________________________________
+
+Package: openssh
+Vulnerability: information leakage
+OpenPKG Specific: no
+
+Affected Releases: Affected Packages: Corrected Packages:
+OpenPKG CURRENT <= openssh-3.6.1p1-20030423 >= openssh-3.6.1p2-20030429
+OpenPKG 1.3 N/A
+OpenPKG 1.2 <= openssh-3.5p1-1.2.1 >= openssh-3.5p1-1.2.2
+
+Description:
+ According to a Mediaservice.net security advisory [0], a information
+ leakage exists in OpenSSH [1] 3.6.1p1 and earlier with PAM support
+ enabled. When a user does not exist, an error message is send
+ immediately which allows remote attackers to determine valid usernames
+ via a timing attack. OpenPKG installations are only affected when the
+ package was build '--with_pam yes', which is not the default. We could
+ only reproduce the problem on Linux. It seems FreeBSD and Solaris are
+ not vulnerable, the patch does not affect their behaviour. However,
+ the problem is related to the PAM configuration, not the operating
+ system. Using a non-default configuration might leak information on
+ other operating systems, too. On Linux systems, a valid workaround is
+ to add a "nodelay" option to the pam_unix.so auth.
+
+ The Common Vulnerabilities and Exposures (CVE) project assigned the id
+ CAN-2003-0190 [2] to the problem.
+
+ Please check whether you are affected by running "<prefix>/bin/rpm -q
+ openssh". If you have the "openssh" package installed and its version
+ is affected (see above), we recommend that you immediately upgrade it
+ (see Solution).
+
+Solution:
+ Select the updated source RPM appropriate for your OpenPKG release
+ [5], fetch it from the OpenPKG FTP service [6] or a mirror location,
+ verify its integrity [7], build a corresponding binary RPM from it [3]
+ and update your OpenPKG installation by applying the binary RPM [4].
+ For the current release OpenPKG 1.2, perform the following operations
+ to permanently fix the security problem (for other releases adjust
+ accordingly).
+
+ $ ftp ftp.openpkg.org
+ ftp> bin
+ ftp> cd release/1.2/UPD
+ ftp> get openssh-3.5p1-1.2.2.src.rpm
+ ftp> bye
+ $ <prefix>/bin/rpm -v --checksig openssh-3.5p1-1.2.2.src.rpm
+ $ <prefix>/bin/rpm --rebuild openssh-3.5p1-1.2.2.src.rpm
+ $ su -
+ # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/openssh-3.5p1-1.2.2.*.rpm
+
+ Additionally, we recommend that you rebuild and reinstall
+ all dependent packages (see above), if any, too. [3][4]
+________________________________________________________________________
+
+References:
+ [0] http://lab.mediaservice.net/advisory/2003-01-openssh.txt
+ [1] http://www.openssh.com/
+ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190
+ [3] http://www.openpkg.org/tutorial.html#regular-source
+ [4] http://www.openpkg.org/tutorial.html#regular-binary
+ [5] ftp://ftp.openpkg.org/release/1.2/UPD/openssh-3.5p1-1.2.2.src.rpm
+ [6] ftp://ftp.openpkg.org/release/1.2/UPD/
+ [7] http://www.openpkg.org/security.html#signature
+________________________________________________________________________
+
+For security reasons, this advisory was digitally signed with the
+OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the
+OpenPKG project which you can retrieve from http://pgp.openpkg.org and
+hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
+for details on how to verify the integrity of this advisory.
+________________________________________________________________________
+
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
