Skip to navigation

Security Advisory Low: openssh security, bug fix, and enhancement update

Advisory: RHSA-2009:1287-2
Type: Security Advisory
Severity: Low
Issued on: 2009-09-02
Last updated on: 2009-09-02
Affected Products: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2008-5161

Details

Updated openssh packages that fix a security issue, a bug, and add
enhancements are now available for Red Hat Enterprise Linux 5.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These
packages include the core files necessary for both the OpenSSH client and
server.

A flaw was found in the SSH protocol. An attacker able to perform a
man-in-the-middle attack may be able to obtain a portion of plain text from
an arbitrary ciphertext block when a CBC mode cipher was used to encrypt
SSH communication. This update helps mitigate this attack: OpenSSH clients
and servers now prefer CTR mode ciphers to CBC mode, and the OpenSSH server
now reads SSH packets up to their full possible length when corruption is
detected, rather than reporting errors early, reducing the possibility of
successful plain text recovery. (CVE-2008-5161)

This update also fixes the following bug:

* the ssh client hung when trying to close a session in which a background
process still held tty file descriptors open. With this update, this
so-called "hang on exit" error no longer occurs and the ssh client closes
the session immediately. (BZ#454812)

In addition, this update adds the following enhancements:

* the SFTP server can now chroot users to various directories, including
a user's home directory, after log in. A new configuration option --
ChrootDirectory -- has been added to "/etc/ssh/sshd_config" for setting
this up (the default is not to chroot users). Details regarding configuring
this new option are in the sshd_config(5) manual page. (BZ#440240)

* the executables which are part of the OpenSSH FIPS module which is being
validated will check their integrity and report their FIPS mode status to
the system log or to the terminal. (BZ#467268, BZ#492363)

All OpenSSH users are advised to upgrade to these updated packages, which
contain backported patches to resolve these issues and add these
enhancements. After installing this update, the OpenSSH server daemon
(sshd) will be restarted automatically.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux (v. 5 server)

SRPMS:
openssh-4.3p2-36.el5.src.rpm
File outdated by:  RHBA-2012:0237
    MD5: 5cb6b73e3db7967c057ae3ddb5e97892
 
IA-32:
openssh-4.3p2-36.el5.i386.rpm
File outdated by:  RHBA-2012:0237
    MD5: 5f4be4fdec00ac8715824a8fc48db288
openssh-askpass-4.3p2-36.el5.i386.rpm
File outdated by:  RHBA-2012:0237
    MD5: 0693b8750b85f5f07ae7b80b62bd2730
openssh-clients-4.3p2-36.el5.i386.rpm
File outdated by:  RHBA-2012:0237
    MD5: 81686714eebbaa374a6bc86014a670f6
openssh-server-4.3p2-36.el5.i386.rpm
File outdated by:  RHBA-2012:0237
    MD5: 5392c21f0d7ad47b2233f8855d7ba78b
 
IA-64:
openssh-4.3p2-36.el5.ia64.rpm
File outdated by:  RHBA-2012:0237
    MD5: e3f554dc32a67fdde59f80db6f4a18ad
openssh-askpass-4.3p2-36.el5.ia64.rpm
File outdated by:  RHBA-2012:0237
    MD5: 10bc4a3b286e17cace1230bf69e77c94
openssh-clients-4.3p2-36.el5.ia64.rpm
File outdated by:  RHBA-2012:0237
    MD5: 66220d1d7e3c39fa5f7c3d4b152f32a6
openssh-server-4.3p2-36.el5.ia64.rpm
File outdated by:  RHBA-2012:0237
    MD5: 75c3c541774ce84610f9024b8d0238a3
 
PPC:
openssh-4.3p2-36.el5.ppc.rpm
File outdated by:  RHBA-2012:0237
    MD5: 0ec514f5414f1cf58b5731aa82d99516
openssh-askpass-4.3p2-36.el5.ppc.rpm
File outdated by:  RHBA-2012:0237
    MD5: 6f0d4f2a07bfe43bb2ca48fdc19f1afa
openssh-clients-4.3p2-36.el5.ppc.rpm
File outdated by:  RHBA-2012:0237
    MD5: f61a26d516f68b4fb314721b56a35e37
openssh-server-4.3p2-36.el5.ppc.rpm
File outdated by:  RHBA-2012:0237
    MD5: 0379d0fe996c38480e1c00ffb4710ef9
 
s390x:
openssh-4.3p2-36.el5.s390x.rpm
File outdated by:  RHBA-2012:0237
    MD5: 58d6100c58c53c6aff2b8ce71405906d
openssh-askpass-4.3p2-36.el5.s390x.rpm
File outdated by:  RHBA-2012:0237
    MD5: 5b32bb3189c8c1ed1fcd2e21c06cebd8
openssh-clients-4.3p2-36.el5.s390x.rpm
File outdated by:  RHBA-2012:0237
    MD5: c29a41c87c5f7a7ff5324f5c26502f39
openssh-server-4.3p2-36.el5.s390x.rpm
File outdated by:  RHBA-2012:0237
    MD5: 44bbb58376d4209767e38177e65c67d3
 
x86_64:
openssh-4.3p2-36.el5.x86_64.rpm
File outdated by:  RHBA-2012:0237
    MD5: 802f19d4bb4e31f72b97fb18879764ad
openssh-askpass-4.3p2-36.el5.x86_64.rpm
File outdated by:  RHBA-2012:0237
    MD5: 00cbc20a93f56bc92ec0ef09347251a5
openssh-clients-4.3p2-36.el5.x86_64.rpm
File outdated by:  RHBA-2012:0237
    MD5: b78b9739ca33cec375857f563d6f624e
openssh-server-4.3p2-36.el5.x86_64.rpm
File outdated by:  RHBA-2012:0237
    MD5: b317a4bcdbf20545610324eac132a39a
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
openssh-4.3p2-36.el5.src.rpm
File outdated by:  RHBA-2012:0237
    MD5: 5cb6b73e3db7967c057ae3ddb5e97892
 
IA-32:
openssh-4.3p2-36.el5.i386.rpm
File outdated by:  RHBA-2012:0237
    MD5: 5f4be4fdec00ac8715824a8fc48db288
openssh-askpass-4.3p2-36.el5.i386.rpm
File outdated by:  RHBA-2012:0237
    MD5: 0693b8750b85f5f07ae7b80b62bd2730
openssh-clients-4.3p2-36.el5.i386.rpm
File outdated by:  RHBA-2012:0237
    MD5: 81686714eebbaa374a6bc86014a670f6
openssh-server-4.3p2-36.el5.i386.rpm
File outdated by:  RHBA-2012:0237
    MD5: 5392c21f0d7ad47b2233f8855d7ba78b
 
x86_64:
openssh-4.3p2-36.el5.x86_64.rpm
File outdated by:  RHBA-2012:0237
    MD5: 802f19d4bb4e31f72b97fb18879764ad
openssh-askpass-4.3p2-36.el5.x86_64.rpm
File outdated by:  RHBA-2012:0237
    MD5: 00cbc20a93f56bc92ec0ef09347251a5
openssh-clients-4.3p2-36.el5.x86_64.rpm
File outdated by:  RHBA-2012:0237
    MD5: b78b9739ca33cec375857f563d6f624e
openssh-server-4.3p2-36.el5.x86_64.rpm
File outdated by:  RHBA-2012:0237
    MD5: b317a4bcdbf20545610324eac132a39a
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

440240 - request to add chroot sftp capabilty into openssh-server
472068 - CVE-2008-5161 OpenSSH: Plaintext Recovery Attack against CBC ciphers


References


Keywords

chroot, FIPS, hang, integrity, mode, scp, sftp, verification


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/