Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0521 -- RHSA-2003:222-01
Updated openssh packages available
30 July 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: openssh
Publisher: Red Hat
Operating System: Red Hat Linux
Linux
Impact: Reduced Security
Access Required: Remote
CVE Names: CAN-2003-0190
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ---------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated openssh packages available
Advisory ID: RHSA-2003:222-01
Issue date: 2003-07-29
Updated on: 2003-07-29
Product: Red Hat Linux
Keywords: openssh pam timing information leak
Cross references:
Obsoletes: RHSA-2002:127
CVE Names: CAN-2003-0190
- - ---------------------------------------------------------------------
1. Topic:
Updated OpenSSH packages are now available. These updates close an
information leak caused by sshd's interaction with the PAM system.
2. Relevant releases/architectures:
Red Hat Linux 7.1 - i386
Red Hat Linux 7.1 for iSeries (64 bit) - ppc
Red Hat Linux 7.1 for pSeries (64 bit) - ppc
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386
Red Hat Linux 9 - i386
3. Problem description:
OpenSSH is a suite of network connectivity tools that can be used to
establish encrypted connections between systems on a network and can
provide interactive login sessions and port forwarding, among other functions.
When configured to allow password-based or challenge-response
authentication, sshd (the OpenSSH server) uses PAM (Pluggable
Authentication Modules) to verify the user's password. Under certain
conditions, OpenSSH versions prior to 3.6.1p1 reject an invalid
authentication attempt without first attempting authentication using PAM.
If PAM is configured with its default failure delay, the amount of time
sshd takes to reject an invalid authentication request varies widely enough
that the timing variations could be used to deduce whether or not an
account with a specified name existed on the server. This information
could then be used to narrow the focus of an attack against some other
system component.
These updates contain backported fixes that cause sshd to always attempt
PAM authentication when performing password and challenge-response
authentication for clients.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.
Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.
5. RPMs required:
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/openssh-3.1p1-7.src.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/openssh-3.1p1-7.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssh-clients-3.1p1-7.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssh-server-3.1p1-7.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssh-askpass-3.1p1-7.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssh-askpass-gnome-3.1p1-7.i386.rpm
Red Hat Linux 7.1 for iSeries (64 bit):
SRPMS:
ftp://updates.redhat.com/7.1/en/os/iSeries/SRPMS/openssh-3.1p1-7.src.rpm
ppc:
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-3.1p1-7.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-clients-3.1p1-7.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-server-3.1p1-7.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-askpass-3.1p1-7.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/openssh-askpass-gnome-3.1p1-7.ppc.rpm
Red Hat Linux 7.1 for pSeries (64 bit):
SRPMS:
ftp://updates.redhat.com/7.1/en/os/pSeries/SRPMS/openssh-3.1p1-7.src.rpm
ppc:
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-3.1p1-7.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-clients-3.1p1-7.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-server-3.1p1-7.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-askpass-3.1p1-7.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/openssh-askpass-gnome-3.1p1-7.ppc.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/openssh-3.1p1-8.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/openssh-3.1p1-8.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssh-clients-3.1p1-8.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssh-server-3.1p1-8.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssh-askpass-3.1p1-8.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssh-askpass-gnome-3.1p1-8.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/openssh-3.1p1-8.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssh-clients-3.1p1-8.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssh-server-3.1p1-8.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssh-askpass-3.1p1-8.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssh-askpass-gnome-3.1p1-8.ia64.rpm
Red Hat Linux 7.3:
SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/openssh-3.1p1-8.src.rpm
i386:
ftp://updates.redhat.com/7.3/en/os/i386/openssh-3.1p1-8.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssh-clients-3.1p1-8.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssh-server-3.1p1-8.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssh-askpass-3.1p1-8.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssh-askpass-gnome-3.1p1-8.i386.rpm
Red Hat Linux 8.0:
SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/openssh-3.4p1-4.src.rpm
i386:
ftp://updates.redhat.com/8.0/en/os/i386/openssh-3.4p1-4.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/openssh-clients-3.4p1-4.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/openssh-server-3.4p1-4.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/openssh-askpass-3.4p1-4.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/openssh-askpass-gnome-3.4p1-4.i386.rpm
Red Hat Linux 9:
SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/openssh-3.5p1-6.9.src.rpm
i386:
ftp://updates.redhat.com/9/en/os/i386/openssh-3.5p1-6.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/openssh-clients-3.5p1-6.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/openssh-server-3.5p1-6.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/openssh-askpass-3.5p1-6.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/openssh-askpass-gnome-3.5p1-6.9.i386.rpm
6. Verification:
MD5 sum Package Name
- - --------------------------------------------------------------------------
bfbd152a2069230041ff1298b0562061 7.1/en/os/SRPMS/openssh-3.1p1-7.src.rpm
48c37500a4c7984673878edbef7e9cde 7.1/en/os/i386/openssh-3.1p1-7.i386.rpm
3f59bffd703bac24632f4e34e2beed22 7.1/en/os/i386/openssh-askpass-3.1p1-7.i386.rpm
def478c5b3f97af908e3cb4d8306662b 7.1/en/os/i386/openssh-askpass-gnome-3.1p1-7.i386.rpm
e9947146ea766572cbd9457f320a4f06 7.1/en/os/i386/openssh-clients-3.1p1-7.i386.rpm
879cbb50923935cebf20b39578dc8eed 7.1/en/os/i386/openssh-server-3.1p1-7.i386.rpm
bfbd152a2069230041ff1298b0562061 7.1/en/os/iSeries/SRPMS/openssh-3.1p1-7.src.rpm
7c8aa13e79e6c856181852de76c86722 7.1/en/os/iSeries/ppc/openssh-3.1p1-7.ppc.rpm
b1a591c23d345fd96f2d0fab2eb958be 7.1/en/os/iSeries/ppc/openssh-askpass-3.1p1-7.ppc.rpm
ae6d48792fea701e75b114333babe37c 7.1/en/os/iSeries/ppc/openssh-askpass-gnome-3.1p1-7.ppc.rpm
f7ee0ce5cefe22043828863da06ce331 7.1/en/os/iSeries/ppc/openssh-clients-3.1p1-7.ppc.rpm
d9f993c8fa47ec3956f5e1e3c6f176d5 7.1/en/os/iSeries/ppc/openssh-server-3.1p1-7.ppc.rpm
bfbd152a2069230041ff1298b0562061 7.1/en/os/pSeries/SRPMS/openssh-3.1p1-7.src.rpm
7c8aa13e79e6c856181852de76c86722 7.1/en/os/pSeries/ppc/openssh-3.1p1-7.ppc.rpm
b1a591c23d345fd96f2d0fab2eb958be 7.1/en/os/pSeries/ppc/openssh-askpass-3.1p1-7.ppc.rpm
ae6d48792fea701e75b114333babe37c 7.1/en/os/pSeries/ppc/openssh-askpass-gnome-3.1p1-7.ppc.rpm
f7ee0ce5cefe22043828863da06ce331 7.1/en/os/pSeries/ppc/openssh-clients-3.1p1-7.ppc.rpm
d9f993c8fa47ec3956f5e1e3c6f176d5 7.1/en/os/pSeries/ppc/openssh-server-3.1p1-7.ppc.rpm
22f17a835f12a4131a21487d5ee3dec6 7.2/en/os/SRPMS/openssh-3.1p1-8.src.rpm
013694ec0e839f077e7980d9cebfa277 7.2/en/os/i386/openssh-3.1p1-8.i386.rpm
a942a051510a5a0aa34b0774d6eb8ee0 7.2/en/os/i386/openssh-askpass-3.1p1-8.i386.rpm
de35a67fa21ec478aff57ce5c830f84e 7.2/en/os/i386/openssh-askpass-gnome-3.1p1-8.i386.rpm
8c9d37f46f76093eccea80571d687d46 7.2/en/os/i386/openssh-clients-3.1p1-8.i386.rpm
42ec08d8633862da9c988524fecdafbb 7.2/en/os/i386/openssh-server-3.1p1-8.i386.rpm
d9441bbe925832b82766b8140fb4bb77 7.2/en/os/ia64/openssh-3.1p1-8.ia64.rpm
58765b526317e03dcf9371d9b225fa68 7.2/en/os/ia64/openssh-askpass-3.1p1-8.ia64.rpm
46b8de0e5072ff7ee614c7e5dfc536b9 7.2/en/os/ia64/openssh-askpass-gnome-3.1p1-8.ia64.rpm
1e95e8ca735b971bcb1a1824becaa582 7.2/en/os/ia64/openssh-clients-3.1p1-8.ia64.rpm
8ae51f6f0116f60fd29545b4f9560613 7.2/en/os/ia64/openssh-server-3.1p1-8.ia64.rpm
22f17a835f12a4131a21487d5ee3dec6 7.3/en/os/SRPMS/openssh-3.1p1-8.src.rpm
013694ec0e839f077e7980d9cebfa277 7.3/en/os/i386/openssh-3.1p1-8.i386.rpm
a942a051510a5a0aa34b0774d6eb8ee0 7.3/en/os/i386/openssh-askpass-3.1p1-8.i386.rpm
de35a67fa21ec478aff57ce5c830f84e 7.3/en/os/i386/openssh-askpass-gnome-3.1p1-8.i386.rpm
8c9d37f46f76093eccea80571d687d46 7.3/en/os/i386/openssh-clients-3.1p1-8.i386.rpm
42ec08d8633862da9c988524fecdafbb 7.3/en/os/i386/openssh-server-3.1p1-8.i386.rpm
81ed2140e12f15e4518fc2fe3aef10eb 8.0/en/os/SRPMS/openssh-3.4p1-4.src.rpm
d625e5b2eca982b5b92ac0862eae1b73 8.0/en/os/i386/openssh-3.4p1-4.i386.rpm
34e91b60c3b5296c8e5185d5cf832013 8.0/en/os/i386/openssh-askpass-3.4p1-4.i386.rpm
536394cfe9c2b3068580269b346f6c1f 8.0/en/os/i386/openssh-askpass-gnome-3.4p1-4.i386.rpm
ce583ee467532c9af9b9482cc90cd375 8.0/en/os/i386/openssh-clients-3.4p1-4.i386.rpm
a81ee000ffc59c3f210fb4f08a02f2a7 8.0/en/os/i386/openssh-server-3.4p1-4.i386.rpm
321f50363605e1976cc19b7ceacf6d26 9/en/os/SRPMS/openssh-3.5p1-6.9.src.rpm
71613a13c1e40faa16f9a01fabf0e8b3 9/en/os/i386/openssh-3.5p1-6.9.i386.rpm
7b70f6b671b87385646d382115974724 9/en/os/i386/openssh-askpass-3.5p1-6.9.i386.rpm
9a8d60a683b055feba9855db74467fff 9/en/os/i386/openssh-askpass-gnome-3.5p1-6.9.i386.rpm
5c18b658c8bed7c434d8d9f142a95e7f 9/en/os/i386/openssh-clients-3.5p1-6.9.i386.rpm
3971445a5ee73f5c8b7fdc022b0432e8 9/en/os/i386/openssh-server-3.5p1-6.9.i386.rpm
These packages are GPG signed by Red Hat for security. Our key is
available from http://www.redhat.com/security/keys.html
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
md5sum <filename>
7. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at http://www.redhat.com/solutions/security/news/contact.html
Copyright 2003 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD4DBQE/JqtfXlSAg2UNWIIRArN1AJj2J4983TGK0tX2JtuvVnRMan4PAJ9+aGuz
eCjkS4HgrwVgCiekk+e+zg==
=8jD6
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPycSZih9+71yA2DNAQG3GAP9F9s2s6GVLiVQZGQ3d5HwpGcnM2KgfIU3
Tpb5ycq5NbKUWhMG+pmffrwZqEuLwWfIjkICrcDBk/g3M4hKU+wG7qzT6waU5WiE
Fx1Jq6egtIv+aV23c0p5A9HZuKQdo07yavgKzOjW7utSWLs+jlwSQ8X+SRTPfoYY
65eux6IAVUE=
=13bW
-----END PGP SIGNATURE-----