Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
| Navigation: |
|
Lists:
gentoo-announce:
< Prev
By Thread
Next >
< Prev
By Date
Next >
|
| Headers: |
|
To:
|
gentoo-announce@g.o
|
|
From:
|
Ferry Meyndert <m0rpheus@g.o>
|
|
Subject:
|
[GLSA] Updated openssh version 3.1 that fixes off-by-one error that can cause a local root vulnerability
|
|
Date:
|
Thu, 7 Mar 2002 18:29:24 +0100
|
|
- --------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE :openssh
SUMMARY :vulnerable to a off-by-one error in the channel code
DATE :2002-04-7 18:02:00
- --------------------------------------------------------------------------
OVERVIEW
A bug exists in the channel code of OpenSSH versions 2.0 - 3.0.2
Users with an existing user account can abuse this bug to
gain root privileges. Exploitability without an existing
user account has not been proven but is not considered
impossible. A malicious ssh server could also use this bug
to exploit a connecting vulnerable client.
DETAIL
http://www.pine.nl/advisories/pine-cert-20020301.txt
SOLUTION
It is recommended that all openssh users apply the update
Portage Auto:
emerge rsync
emerge update
emerge update --world
Portage by hand:
emerge rsync
emerge net-misc/openssh
Manually:
Download the new openssh package here and follow in file instructions:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.1p1.tar.gz
- --------------------------------------------------------------------------
Ferry Meyndert
m0rpheus@g.o
- --------------------------------------------------------------------------
|
|
