Security Advisory Updated openssh packages available

Advisory: RHSA-2003:222-08
Type: Security Advisory
Severity: N/A
Issued on: 2003-07-29
Last updated on: 2003-07-29
Affected Products: Red Hat Linux 7.1
Red Hat Linux 7.1 for iSeries
Red Hat Linux 7.1 for pSeries
Red Hat Linux 7.2
Red Hat Linux 7.3
Red Hat Linux 8.0
Red Hat Linux 9
OVAL: N/A
CVEs (cve.mitre.org): CVE-2003-0190

Details

Updated OpenSSH packages are now available. These updates close an
information leak caused by sshd's interaction with the PAM system.

OpenSSH is a suite of network connectivity tools that can be used to
establish encrypted connections between systems on a network and can
provide interactive login sessions and port forwarding, among other functions.

When configured to allow password-based or challenge-response
authentication, sshd (the OpenSSH server) uses PAM (Pluggable
Authentication Modules) to verify the user's password. Under certain
conditions, OpenSSH versions prior to 3.6.1p1 reject an invalid
authentication attempt without first attempting authentication using PAM.

If PAM is configured with its default failure delay, the amount of time
sshd takes to reject an invalid authentication request varies widely enough
that the timing variations could be used to deduce whether or not an
account with a specified name existed on the server. This information
could then be used to narrow the focus of an attack against some other
system component.

These updates contain backported fixes that cause sshd to always attempt
PAM authentication when performing password and challenge-response
authentication for clients.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Linux 7.1
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/openssh-3.1p1-7.src.rpm
Missing file		     bfbd152a2069230041ff1298b0562061
 
IA-32:
openssh-3.1p1-7.i386.rpm
File outdated by:  RHSA-2003:279		     48c37500a4c7984673878edbef7e9cde
openssh-askpass-3.1p1-7.i386.rpm
File outdated by:  RHSA-2003:279		     3f59bffd703bac24632f4e34e2beed22
openssh-askpass-gnome-3.1p1-7.i386.rpm
File outdated by:  RHSA-2003:279		     def478c5b3f97af908e3cb4d8306662b
openssh-clients-3.1p1-7.i386.rpm
File outdated by:  RHSA-2003:279		     e9947146ea766572cbd9457f320a4f06
openssh-server-3.1p1-7.i386.rpm
File outdated by:  RHSA-2003:279		     879cbb50923935cebf20b39578dc8eed
 
Red Hat Linux 7.1 for iSeries
SRPMS:
ftp://updates.redhat.com/7.1/en/os/iSeries/SRPMS/openssh-3.1p1-7.src.rpm
Missing file		     bfbd152a2069230041ff1298b0562061
 
iSeries:
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-3.1p1-7.ppc.rpm
Missing file		     7c8aa13e79e6c856181852de76c86722
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-askpass-3.1p1-7.ppc.rpm
Missing file		     b1a591c23d345fd96f2d0fab2eb958be
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-askpass-gnome-3.1p1-7.ppc.rpm
Missing file		     ae6d48792fea701e75b114333babe37c
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-clients-3.1p1-7.ppc.rpm
Missing file		     f7ee0ce5cefe22043828863da06ce331
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-server-3.1p1-7.ppc.rpm
Missing file		     d9f993c8fa47ec3956f5e1e3c6f176d5
 
Red Hat Linux 7.1 for pSeries
SRPMS:
ftp://updates.redhat.com/7.1/en/os/pSeries/SRPMS/openssh-3.1p1-7.src.rpm
Missing file		     bfbd152a2069230041ff1298b0562061
 
pSeries:
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-3.1p1-7.ppc.rpm
Missing file		     7c8aa13e79e6c856181852de76c86722
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-askpass-3.1p1-7.ppc.rpm
Missing file		     b1a591c23d345fd96f2d0fab2eb958be
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-askpass-gnome-3.1p1-7.ppc.rpm
Missing file		     ae6d48792fea701e75b114333babe37c
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-clients-3.1p1-7.ppc.rpm
Missing file		     f7ee0ce5cefe22043828863da06ce331
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-server-3.1p1-7.ppc.rpm
Missing file		     d9f993c8fa47ec3956f5e1e3c6f176d5
 
Red Hat Linux 7.2
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/openssh-3.1p1-8.src.rpm
Missing file		     22f17a835f12a4131a21487d5ee3dec6
 
IA-32:
openssh-3.1p1-8.i386.rpm
File outdated by:  RHSA-2003:279		     013694ec0e839f077e7980d9cebfa277
openssh-askpass-3.1p1-8.i386.rpm
File outdated by:  RHSA-2003:279		     a942a051510a5a0aa34b0774d6eb8ee0
openssh-askpass-gnome-3.1p1-8.i386.rpm
File outdated by:  RHSA-2003:279		     de35a67fa21ec478aff57ce5c830f84e
openssh-clients-3.1p1-8.i386.rpm
File outdated by:  RHSA-2003:279		     8c9d37f46f76093eccea80571d687d46
openssh-server-3.1p1-8.i386.rpm
File outdated by:  RHSA-2003:279		     42ec08d8633862da9c988524fecdafbb
 
IA-64:
openssh-3.1p1-8.ia64.rpm
File outdated by:  RHSA-2003:279		     d9441bbe925832b82766b8140fb4bb77
openssh-askpass-3.1p1-8.ia64.rpm
File outdated by:  RHSA-2003:279		     58765b526317e03dcf9371d9b225fa68
openssh-askpass-gnome-3.1p1-8.ia64.rpm
File outdated by:  RHSA-2003:279		     46b8de0e5072ff7ee614c7e5dfc536b9
openssh-clients-3.1p1-8.ia64.rpm
File outdated by:  RHSA-2003:279		     1e95e8ca735b971bcb1a1824becaa582
openssh-server-3.1p1-8.ia64.rpm
File outdated by:  RHSA-2003:279		     8ae51f6f0116f60fd29545b4f9560613
 
Red Hat Linux 7.3
SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/openssh-3.1p1-8.src.rpm
Missing file		     22f17a835f12a4131a21487d5ee3dec6
 
IA-32:
openssh-3.1p1-8.i386.rpm
File outdated by:  RHSA-2003:279		     013694ec0e839f077e7980d9cebfa277
openssh-askpass-3.1p1-8.i386.rpm
File outdated by:  RHSA-2003:279		     a942a051510a5a0aa34b0774d6eb8ee0
openssh-askpass-gnome-3.1p1-8.i386.rpm
File outdated by:  RHSA-2003:279		     de35a67fa21ec478aff57ce5c830f84e
openssh-clients-3.1p1-8.i386.rpm
File outdated by:  RHSA-2003:279		     8c9d37f46f76093eccea80571d687d46
openssh-server-3.1p1-8.i386.rpm
File outdated by:  RHSA-2003:279		     42ec08d8633862da9c988524fecdafbb
 
Red Hat Linux 8.0
SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/openssh-3.4p1-4.src.rpm
Missing file		     81ed2140e12f15e4518fc2fe3aef10eb
 
IA-32:
openssh-3.4p1-4.i386.rpm
File outdated by:  RHSA-2003:279		     d625e5b2eca982b5b92ac0862eae1b73
openssh-askpass-3.4p1-4.i386.rpm
File outdated by:  RHSA-2003:279		     34e91b60c3b5296c8e5185d5cf832013
openssh-askpass-gnome-3.4p1-4.i386.rpm
File outdated by:  RHSA-2003:279		     536394cfe9c2b3068580269b346f6c1f
openssh-clients-3.4p1-4.i386.rpm
File outdated by:  RHSA-2003:279		     ce583ee467532c9af9b9482cc90cd375
openssh-server-3.4p1-4.i386.rpm
File outdated by:  RHSA-2003:279		     a81ee000ffc59c3f210fb4f08a02f2a7
 
Red Hat Linux 9
SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/openssh-3.5p1-6.9.src.rpm
Missing file		     321f50363605e1976cc19b7ceacf6d26
 
IA-32:
openssh-3.5p1-6.9.i386.rpm
File outdated by:  RHSA-2003:279		     71613a13c1e40faa16f9a01fabf0e8b3
openssh-askpass-3.5p1-6.9.i386.rpm
File outdated by:  RHSA-2003:279		     7b70f6b671b87385646d382115974724
openssh-askpass-gnome-3.5p1-6.9.i386.rpm
File outdated by:  RHSA-2003:279		     9a8d60a683b055feba9855db74467fff
openssh-clients-3.5p1-6.9.i386.rpm
File outdated by:  RHSA-2003:279		     5c18b658c8bed7c434d8d9f142a95e7f
openssh-server-3.5p1-6.9.i386.rpm
File outdated by:  RHSA-2003:279		     3971445a5ee73f5c8b7fdc022b0432e8
 

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190

Keywords

information, leak, openssh, pam, timing

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/