Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2003.0661 -- Two Debian Security Advisories DSA-383-1, DSA-383-2 OpenSSH buffer management fix 22 September 2003 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ssh-krb5 Publisher: Debian Operating System: Debian GNU/Linux 3.0 Linux UNIX Impact: Denial of Service Access Required: Remote CVE Names: CAN-2003-0693, CAN-2003-0695 Ref: AL-2003.16 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-383-1 security@debian.org http://www.debian.org/security/ Wichert Akkerman September 17, 2003 - - ------------------------------------------------------------------------ Package : ssh-krb5 Vulnerability : buffer handling Problem type : possible remote Debian-specific: no CVS references : CAN-2003-0693 CAN-2003-0695 Several bugs have been found in OpenSSH's buffer handling. It is not known if these bugs are exploitable, but as a precaution an upgrade is advised. For the Debian stable distribution these bugs have been fixed in version 1:3.4p1-0woody3 . Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/o/openssh-krb5/openssh-krb5_3.4p1.orig.tar.gz Size/MD5 checksum: 837668 459c1d0262e939d6432f193c7a4ba8a8 http://security.debian.org/pool/updates/main/o/openssh-krb5/openssh-krb5_3.4p1-0woody3.diff.gz Size/MD5 checksum: 120256 101711fd74f01e6e670c334752cafe44 http://security.debian.org/pool/updates/main/o/openssh-krb5/openssh-krb5_3.4p1-0woody3.dsc Size/MD5 checksum: 822 e39ebe0e44ae1998d5c47ddb45d6dbe8 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody3_alpha.deb Size/MD5 checksum: 888466 dd124b4ce632d30f00eed9409ea5b42a arm architecture (ARM) http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody3_arm.deb Size/MD5 checksum: 687666 9cc220113aadc19c647fb65f5f0d998b hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody3_hppa.deb Size/MD5 checksum: 789256 a5bbdfbea796a3e2d6b979622466ab63 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody3_i386.deb Size/MD5 checksum: 671568 faa1fa7949a7cce9388057a485d98dc5 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody3_ia64.deb Size/MD5 checksum: 1049956 51e568695ef150e6049e7b5b42d23891 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody3_mipsel.deb Size/MD5 checksum: 759494 0aeeb07fe815b8a0e36e5ded2763d1ab powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody3_powerpc.deb Size/MD5 checksum: 711472 cf3efec05458df632179302cd78032f0 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody3_s390.deb Size/MD5 checksum: 749046 93cc4a83d9b3afded11ccc1a6a62d127 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody3_sparc.deb Size/MD5 checksum: 694616 b56ebfa782eb8645e34058facd3e9ca5 - - -- - - ---------------------------------------------------------------------------- Debian Security team <team@security.debian.org> http://www.debian.org/security/ Mailing-List: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/aICCPLiSUC+jvC0RAs8CAJ4ibM/vFpJQu+O6IHry1yx113uM+gCfSK/S JfZ0Fqf8SmCaOQJe0MkHr2c= =AtV1 - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-383-2 security@debian.org http://www.debian.org/security/ Wichert Akkerman September 21, 2003 - - ------------------------------------------------------------------------ Package : ssh-krb5 Vulnerability : buffer handling Problem type : possible remote Debian-specific: no CVE references : CAN-2003-0693 CAN-2003-0695 CAN-2003-0682 This advisory is an addition to the earlier DSA-383-1 advisory: Solar Designer found four more bugs in OpenSSH that may be exploitable. For the Debian stable distribution these bugs have been fixed in version 1:3.4p1-0woody4 . Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/o/openssh-krb5/openssh-krb5_3.4p1-0woody4.dsc Size/MD5 checksum: 1357 d7f2f4b66a60aec2636aaa131a04ea86 http://security.debian.org/pool/updates/main/o/openssh-krb5/openssh-krb5_3.4p1.orig.tar.gz Size/MD5 checksum: 837668 459c1d0262e939d6432f193c7a4ba8a8 http://security.debian.org/pool/updates/main/o/openssh-krb5/openssh-krb5_3.4p1-0woody4.diff.gz Size/MD5 checksum: 120639 8c57caab816733519f2e764ff824ea2d alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody4_alpha.deb Size/MD5 checksum: 888572 addc35a6bc52711c42ae8a1e3cf86577 arm architecture (ARM) http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody4_arm.deb Size/MD5 checksum: 687794 c1143d02c214f8cfe4bd60ef6b8aaac5 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody4_hppa.deb Size/MD5 checksum: 789374 2bdbe110e4df220c91c927b06116c8ea i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody4_i386.deb Size/MD5 checksum: 671778 a4fe8e3f4de7c6a8048ec123f637838f ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody4_ia64.deb Size/MD5 checksum: 1049908 c420b72bc0c9a5f6c6d9b658291b7dc5 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody4_m68k.deb Size/MD5 checksum: 640920 b1df32262d6fb5cd7a1eca52c66e412f mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody4_mips.deb Size/MD5 checksum: 762850 211c9d9c0385314d49039ce8e651ea61 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody4_powerpc.deb Size/MD5 checksum: 711568 83acd76f1dd01ad7bba04f83e84e7b0e s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody4_s390.deb Size/MD5 checksum: 749104 e88e2b9601a057e9f45c6517b77701f7 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody4_sparc.deb Size/MD5 checksum: 694636 9cf84d70e306be2f4f94a86b8d41c857 - - -- - - ---------------------------------------------------------------------------- Debian Security team <team@security.debian.org> http://www.debian.org/security/ Mailing-List: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/bfZrPLiSUC+jvC0RAjcUAKCDoLyZ7u5kzPDbKcyDR/Ic7XVKaQCgl9qQ CBxj8Nr6AgjdI0pW0CoDM18= =YvpS - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBP25JaCh9+71yA2DNAQGXOAQAhLY3Fb853kwvVIX583CFIB/qKCgAcEnX GU4saTdK1GuVAm013EKAmAZPxyLhSPS+TJz/HmjXdzqMFaAf4jOcUbNof196hq5O IJPXwnnrQT7F2WQUrQm4qPm7zcwnBZyuaD2tF1g0gN+kE+Mu5BrEQddcq2yIVss8 xwd8SJ01Lzw= =ds5h -----END PGP SIGNATURE-----