Security Advisory Updated OpenSSH packages fix various security issues

Advisory: RHSA-2002:127-25
Type: Security Advisory
Severity: N/A
Issued on: 2003-06-27
Last updated on: 2003-06-27
Affected Products: Red Hat Linux 7.0
Red Hat Linux 7.1
Red Hat Linux 7.1 for iSeries
Red Hat Linux 7.1 for pSeries
Red Hat Linux 7.2
Red Hat Linux 7.3
OVAL: N/A
CVEs (cve.mitre.org): CVE-2002-0640

Details

Updated openssh packages are now available for Red Hat Linux 7, 7.1, 7.2,
and 7.3. These updates fix an input validation error in OpenSSH.

[Updated 16 April 2003]
Added packages for Red Hat Linux on IBM iSeries and pSeries systems.

OpenSSH provides an implementation of the SSH (secure shell) protocol used
for logging into and executing commands on remote machines.

Versions of the OpenSSH server between 2.3.1 and 3.3 contain an input
validation error that can result in an integer overflow and privilege
escalation.

At this time, Red Hat does not believe that the default installation of
OpenSSH on Red Hat Linux is vulnerable to this issue; however a user would
be vulnerable if the configuration option "PAMAuthenticationViaKbdInt" is
enabled in the sshd configuration file. Please note that this option is
not enabled by default.

We have applied the security fix provided by the OpenSSH team to these
errata packages which are based on OpenSSH 3.1p1. This should minimize the
impact of upgrading to our errata packages.

All users of OpenSSH should update to these errata packages which are not
vulnerable to this issue.

[Update 6/28/2002]
Added packages for Red Hat Linux 7.2 for s390.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Linux 7.0
SRPMS:
openssh-3.1p1-5.src.rpm
File outdated by:  RHSA-2003:222		     d1f19327b85cddfbcf3167b3374842a7
 
Alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/openssh-3.1p1-5.alpha.rpm
Missing file		     f6176399bd232630f8bb517d8f4dd42e
ftp://updates.redhat.com/7.0/en/os/alpha/openssh-askpass-3.1p1-5.alpha.rpm
Missing file		     92807b7217c777dda6b9a43dbe7ce7fd
ftp://updates.redhat.com/7.0/en/os/alpha/openssh-askpass-gnome-3.1p1-5.alpha.rpm
Missing file		     9eea8c2d710290d4d7425c03aef26d2e
ftp://updates.redhat.com/7.0/en/os/alpha/openssh-clients-3.1p1-5.alpha.rpm
Missing file		     d3f22ca75eb56ac35f0084b5f25df3cb
ftp://updates.redhat.com/7.0/en/os/alpha/openssh-server-3.1p1-5.alpha.rpm
Missing file		     8f7553265365190f8714ff67a94af972
 
IA-32:
ftp://updates.redhat.com/7.0/en/os/i386/openssh-3.1p1-5.i386.rpm
Missing file		     ea1910c305cd61e437271885280d5268
ftp://updates.redhat.com/7.0/en/os/i386/openssh-askpass-3.1p1-5.i386.rpm
Missing file		     db93fb0988ce7408f7f77a4589fd85b2
ftp://updates.redhat.com/7.0/en/os/i386/openssh-askpass-gnome-3.1p1-5.i386.rpm
Missing file		     998bb0b0e59a864d5156ec6c7e2a667f
ftp://updates.redhat.com/7.0/en/os/i386/openssh-clients-3.1p1-5.i386.rpm
Missing file		     3071cba22fb9d00ea74275ddd6849e07
ftp://updates.redhat.com/7.0/en/os/i386/openssh-server-3.1p1-5.i386.rpm
Missing file		     4cb070808101c4f24cf892782556f734
 
Red Hat Linux 7.1
SRPMS:
openssh-3.1p1-5.src.rpm
File outdated by:  RHSA-2003:222		     d1f19327b85cddfbcf3167b3374842a7
 
Alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/openssh-3.1p1-5.alpha.rpm
Missing file		     f6176399bd232630f8bb517d8f4dd42e
ftp://updates.redhat.com/7.1/en/os/alpha/openssh-askpass-3.1p1-5.alpha.rpm
Missing file		     92807b7217c777dda6b9a43dbe7ce7fd
ftp://updates.redhat.com/7.1/en/os/alpha/openssh-askpass-gnome-3.1p1-5.alpha.rpm
Missing file		     9eea8c2d710290d4d7425c03aef26d2e
ftp://updates.redhat.com/7.1/en/os/alpha/openssh-clients-3.1p1-5.alpha.rpm
Missing file		     d3f22ca75eb56ac35f0084b5f25df3cb
ftp://updates.redhat.com/7.1/en/os/alpha/openssh-server-3.1p1-5.alpha.rpm
Missing file		     8f7553265365190f8714ff67a94af972
 
IA-32:
openssh-3.1p1-5.i386.rpm
File outdated by:  RHSA-2003:279		     ea1910c305cd61e437271885280d5268
openssh-askpass-3.1p1-5.i386.rpm
File outdated by:  RHSA-2003:279		     db93fb0988ce7408f7f77a4589fd85b2
openssh-askpass-gnome-3.1p1-5.i386.rpm
File outdated by:  RHSA-2003:279		     998bb0b0e59a864d5156ec6c7e2a667f
openssh-clients-3.1p1-5.i386.rpm
File outdated by:  RHSA-2003:279		     3071cba22fb9d00ea74275ddd6849e07
openssh-server-3.1p1-5.i386.rpm
File outdated by:  RHSA-2003:279		     4cb070808101c4f24cf892782556f734
 
IA-64:
ftp://updates.redhat.com/7.1/en/os/ia64/openssh-3.1p1-5.ia64.rpm
Missing file		     76771fe005710068cf7e77304d8e8c2d
ftp://updates.redhat.com/7.1/en/os/ia64/openssh-askpass-3.1p1-5.ia64.rpm
Missing file		     c1f660a37ac295a9d7f76c18c4e39a97
ftp://updates.redhat.com/7.1/en/os/ia64/openssh-askpass-gnome-3.1p1-5.ia64.rpm
Missing file		     d3dba2c6749555920d33a2bbf5c34bc7
ftp://updates.redhat.com/7.1/en/os/ia64/openssh-clients-3.1p1-5.ia64.rpm
Missing file		     b1fbb0c89efdb666ca834d73776caef3
ftp://updates.redhat.com/7.1/en/os/ia64/openssh-server-3.1p1-5.ia64.rpm
Missing file		     41a2988a28bc02ed2d7268fedec3656d
 
Red Hat Linux 7.1 for iSeries
SRPMS:
openssh-3.1p1-5.src.rpm
File outdated by:  RHSA-2003:222		     d1f19327b85cddfbcf3167b3374842a7
 
iSeries:
openssh-3.1p1-5.ppc.rpm
File outdated by:  RHSA-2003:222		     e1977668ce3d0c30e1eb73221b38cbef
openssh-askpass-3.1p1-5.ppc.rpm
File outdated by:  RHSA-2003:222		     9594fcac627edc6ad4add7ae37d59231
openssh-askpass-gnome-3.1p1-5.ppc.rpm
File outdated by:  RHSA-2003:222		     c31b2015d4ad8fb36a5510b20dd9b162
openssh-clients-3.1p1-5.ppc.rpm
File outdated by:  RHSA-2003:222		     0560a3500d2a4002cf55654cbdc84020
openssh-server-3.1p1-5.ppc.rpm
File outdated by:  RHSA-2003:222		     72df6c932d18ebeaffee3debcf33330c
 
Red Hat Linux 7.1 for pSeries
SRPMS:
openssh-3.1p1-5.src.rpm
File outdated by:  RHSA-2003:222		     d1f19327b85cddfbcf3167b3374842a7
 
pSeries:
openssh-3.1p1-5.ppc.rpm
File outdated by:  RHSA-2003:222		     e1977668ce3d0c30e1eb73221b38cbef
openssh-askpass-3.1p1-5.ppc.rpm
File outdated by:  RHSA-2003:222		     9594fcac627edc6ad4add7ae37d59231
openssh-askpass-gnome-3.1p1-5.ppc.rpm
File outdated by:  RHSA-2003:222		     c31b2015d4ad8fb36a5510b20dd9b162
openssh-clients-3.1p1-5.ppc.rpm
File outdated by:  RHSA-2003:222		     0560a3500d2a4002cf55654cbdc84020
openssh-server-3.1p1-5.ppc.rpm
File outdated by:  RHSA-2003:222		     72df6c932d18ebeaffee3debcf33330c
 
Red Hat Linux 7.2
SRPMS:
openssh-3.1p1-6.src.rpm
File outdated by:  RHSA-2003:279		     84d1b32febbd22bcc76d44d3d985cf0d
 
IA-32:
openssh-3.1p1-6.i386.rpm
File outdated by:  RHSA-2003:279		     a634222cd0d59ce1e9510323128fc34b
openssh-askpass-3.1p1-6.i386.rpm
File outdated by:  RHSA-2003:279		     1d84ecee0666441698fe7686c2f5ac3f
openssh-askpass-gnome-3.1p1-6.i386.rpm
File outdated by:  RHSA-2003:279		     7f568c333c7f15e2608b2adc134ad65a
openssh-clients-3.1p1-6.i386.rpm
File outdated by:  RHSA-2003:279		     f7c7bcce4abd79c9604b0d43a7978cc1
openssh-server-3.1p1-6.i386.rpm
File outdated by:  RHSA-2003:279		     c40ab32a22bac14625a845e342512785
 
IA-64:
openssh-3.1p1-6.ia64.rpm
File outdated by:  RHSA-2003:279		     892dd7540ed71c530949baf736a4e96d
openssh-askpass-3.1p1-6.ia64.rpm
File outdated by:  RHSA-2003:279		     8dc28e066ad28fb16d57319af0297d47
openssh-askpass-gnome-3.1p1-6.ia64.rpm
File outdated by:  RHSA-2003:279		     317f50806f05d91df9f7742c8b6b1297
openssh-clients-3.1p1-6.ia64.rpm
File outdated by:  RHSA-2003:279		     e037c1229d3062c6ff3d2a5c022787dc
openssh-server-3.1p1-6.ia64.rpm
File outdated by:  RHSA-2003:279		     f067a362f3dd6b838476c93cfedc740a
 
Red Hat Linux 7.3
SRPMS:
openssh-3.1p1-6.src.rpm
File outdated by:  RHSA-2003:279		     84d1b32febbd22bcc76d44d3d985cf0d
 
IA-32:
openssh-3.1p1-6.i386.rpm
File outdated by:  RHSA-2003:279		     a634222cd0d59ce1e9510323128fc34b
openssh-askpass-3.1p1-6.i386.rpm
File outdated by:  RHSA-2003:279		     1d84ecee0666441698fe7686c2f5ac3f
openssh-askpass-gnome-3.1p1-6.i386.rpm
File outdated by:  RHSA-2003:279		     7f568c333c7f15e2608b2adc134ad65a
openssh-clients-3.1p1-6.i386.rpm
File outdated by:  RHSA-2003:279		     f7c7bcce4abd79c9604b0d43a7978cc1
openssh-server-3.1p1-6.i386.rpm
File outdated by:  RHSA-2003:279		     c40ab32a22bac14625a845e342512785
 

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0640
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102510268109227
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102511867031136

Keywords

ChallengeResponseAuthentication, openssh, pam, security

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/