Security Advisory Updated OpenSSH packages available

Advisory: RHSA-2001:161-10
Type: Security Advisory
Severity: N/A
Issued on: 2001-12-03
Last updated on: 2002-01-31
Affected Products: Red Hat Linux 7.0
Red Hat Linux 7.1
Red Hat Linux 7.2
OVAL: N/A
CVEs (cve.mitre.org): CVE-2001-0872

Details

Updated OpenSSH packages are now available for Red Hat Linux 7, 7.1, and
7.2. These packages fix a vulnerability which exists when a
server is configured with the "UseLogin" option.

When the "UseLogin" option is enabled in OpenSSH, a malicious user who
authenticates using key-based authentication methods can influence the
environment variables passed to the login process. This could
allow the user to execute arbitrary code with superuser privileges.
In Red Hat Linux the OpenSSH server has the "UseLogin" option disabled
by default. Therefore, it is not vulnerable unless the system administrator
has changed this setting.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2001-0872 to this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Linux 7.0
SRPMS:
openssh-2.9p2-11.7.src.rpm
File outdated by:  RHSA-2002:127		     a404df85b0bd8ee13544f27d8bc80e41
 
Alpha:
openssh-2.9p2-11.7.alpha.rpm
File outdated by:  RHSA-2002:127		     9edc7fc8d4db042c391c9b569f06bbc6
openssh-askpass-2.9p2-11.7.alpha.rpm
File outdated by:  RHSA-2002:127		     e568631c7a7e0d4b73fe27053398cbe3
openssh-askpass-gnome-2.9p2-11.7.alpha.rpm
File outdated by:  RHSA-2002:127		     aa9fe70df6ea2fabdc7bcbb6ee18f77e
openssh-clients-2.9p2-11.7.alpha.rpm
File outdated by:  RHSA-2002:127		     d6c8d8b029358c1035d063688ee9a29f
openssh-server-2.9p2-11.7.alpha.rpm
File outdated by:  RHSA-2002:127		     a729bd387061f3fa437dfb7bcc44fc47
 
IA-32:
openssh-2.9p2-11.7.i386.rpm
File outdated by:  RHSA-2002:127		     9032ed606510cb0647015ec25bcb8a65
openssh-askpass-2.9p2-11.7.i386.rpm
File outdated by:  RHSA-2002:127		     388f0ab300dd833c565381a161a2d469
openssh-askpass-gnome-2.9p2-11.7.i386.rpm
File outdated by:  RHSA-2002:127		     142f92df28c2ec27eafb56313190927e
openssh-clients-2.9p2-11.7.i386.rpm
File outdated by:  RHSA-2002:127		     a8e73953e02df3277479a45c89284ad6
openssh-server-2.9p2-11.7.i386.rpm
File outdated by:  RHSA-2002:127		     6b87c6cb013cd3303432f1bf45326735
 
Red Hat Linux 7.1
SRPMS:
openssh-2.9p2-11.7.src.rpm
File outdated by:  RHSA-2002:127		     a404df85b0bd8ee13544f27d8bc80e41
 
Alpha:
openssh-2.9p2-11.7.alpha.rpm
File outdated by:  RHSA-2002:127		     9edc7fc8d4db042c391c9b569f06bbc6
openssh-askpass-2.9p2-11.7.alpha.rpm
File outdated by:  RHSA-2002:127		     e568631c7a7e0d4b73fe27053398cbe3
openssh-askpass-gnome-2.9p2-11.7.alpha.rpm
File outdated by:  RHSA-2002:127		     aa9fe70df6ea2fabdc7bcbb6ee18f77e
openssh-clients-2.9p2-11.7.alpha.rpm
File outdated by:  RHSA-2002:127		     d6c8d8b029358c1035d063688ee9a29f
openssh-server-2.9p2-11.7.alpha.rpm
File outdated by:  RHSA-2002:127		     a729bd387061f3fa437dfb7bcc44fc47
 
IA-32:
openssh-2.9p2-11.7.i386.rpm
File outdated by:  RHSA-2003:279		     9032ed606510cb0647015ec25bcb8a65
openssh-askpass-2.9p2-11.7.i386.rpm
File outdated by:  RHSA-2003:279		     388f0ab300dd833c565381a161a2d469
openssh-askpass-gnome-2.9p2-11.7.i386.rpm
File outdated by:  RHSA-2003:279		     142f92df28c2ec27eafb56313190927e
openssh-clients-2.9p2-11.7.i386.rpm
File outdated by:  RHSA-2003:279		     a8e73953e02df3277479a45c89284ad6
openssh-server-2.9p2-11.7.i386.rpm
File outdated by:  RHSA-2003:279		     6b87c6cb013cd3303432f1bf45326735
 
IA-64:
openssh-2.9p2-11.7.ia64.rpm
File outdated by:  RHSA-2002:127		     093fff2a546589e129afdf984b419173
openssh-askpass-2.9p2-11.7.ia64.rpm
File outdated by:  RHSA-2002:127		     a3531573d0dbe68ed548cff3f5de023c
openssh-askpass-gnome-2.9p2-11.7.ia64.rpm
File outdated by:  RHSA-2002:127		     8cc6096f248bb13ef9eec2b31a71ccc7
openssh-clients-2.9p2-11.7.ia64.rpm
File outdated by:  RHSA-2002:127		     e842d4ba17ec0889e54730ad33e722e5
openssh-server-2.9p2-11.7.ia64.rpm
File outdated by:  RHSA-2002:127		     b8c3f281c2c7be14f71994d20205723b
 
Red Hat Linux 7.2
SRPMS:
openssh-2.9p2-12.src.rpm
File outdated by:  RHSA-2003:279		     5f12c077bf40570dac9b950d83f1e960
 
IA-32:
openssh-2.9p2-12.i386.rpm
File outdated by:  RHSA-2003:279		     1a11b675b6af99f9edffeef639825916
openssh-askpass-2.9p2-12.i386.rpm
File outdated by:  RHSA-2003:279		     850879609a667619c7e952fadca3063c
openssh-askpass-gnome-2.9p2-12.i386.rpm
File outdated by:  RHSA-2003:279		     99620e435ce9d69c851e10695828eb80
openssh-clients-2.9p2-12.i386.rpm
File outdated by:  RHSA-2003:279		     ff3f8671339645ccbdfa65a03e4b4d09
openssh-server-2.9p2-12.i386.rpm
File outdated by:  RHSA-2003:279		     199895daa920eac36c2567ced3c70e9b
 
s390:
ftp://updates.redhat.com/7.2/en/os/s390/openssh-2.9p2-12.s390.rpm
Missing file		     ff3471022d882689493a5bc330a85b1c
ftp://updates.redhat.com/7.2/en/os/s390/openssh-askpass-2.9p2-12.s390.rpm
Missing file		     f6f09e32bcbee409e7f04c47e3e724f8
ftp://updates.redhat.com/7.2/en/os/s390/openssh-askpass-gnome-2.9p2-12.s390.rpm
Missing file		     ad266950d29e42d128a0d3e727d01913
ftp://updates.redhat.com/7.2/en/os/s390/openssh-clients-2.9p2-12.s390.rpm
Missing file		     86f6bcb8166947161bc082f4087564c6
ftp://updates.redhat.com/7.2/en/os/s390/openssh-server-2.9p2-12.s390.rpm
Missing file		     26f739c35bee9635e8c4add1ae3733ce
 

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0872
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100747128105913
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0872

Keywords

openssh, uselogin

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/