| 1 |
Hi, |
| 2 |
|
| 3 |
Yep. Noticed that a few minutes after I sent the e-mail. I must have |
| 4 |
done my rsync before this package was added. |
| 5 |
My Bad. |
| 6 |
Thanks, |
| 7 |
C.Davies |
| 8 |
(c.davies@×××××××.org) |
| 9 |
|
| 10 |
Ferry Meyndert wrote: |
| 11 |
|
| 12 |
>Its allready fixed in gentoo here is a copy of the anouncement send to the anouncement list. |
| 13 |
>- -------------------------------------------------------------------------- |
| 14 |
>GENTOO LINUX SECURITY ANNOUNCEMENT |
| 15 |
>- -------------------------------------------------------------------------- |
| 16 |
> |
| 17 |
>PACKAGE :openssh |
| 18 |
>SUMMARY :vulnerable to a off-by-one error in the channel code |
| 19 |
>DATE :2002-04-7 18:02:00 |
| 20 |
> |
| 21 |
>- -------------------------------------------------------------------------- |
| 22 |
> |
| 23 |
>OVERVIEW |
| 24 |
> |
| 25 |
> |
| 26 |
> A bug exists in the channel code of OpenSSH versions 2.0 - 3.0.2 |
| 27 |
> Users with an existing user account can abuse this bug to |
| 28 |
> gain root privileges. Exploitability without an existing |
| 29 |
> user account has not been proven but is not considered |
| 30 |
> impossible. A malicious ssh server could also use this bug |
| 31 |
> to exploit a connecting vulnerable client. |
| 32 |
> |
| 33 |
> |
| 34 |
>DETAIL |
| 35 |
> |
| 36 |
> http://www.pine.nl/advisories/pine-cert-20020301.txt |
| 37 |
> |
| 38 |
> |
| 39 |
>SOLUTION |
| 40 |
> |
| 41 |
> |
| 42 |
> It is recommended that all openssh users apply the update |
| 43 |
> |
| 44 |
> Portage Auto: |
| 45 |
> |
| 46 |
> emerge rsync |
| 47 |
> emerge update |
| 48 |
> emerge update --world |
| 49 |
> |
| 50 |
> |
| 51 |
> Portage by hand: |
| 52 |
> |
| 53 |
> emerge rsync |
| 54 |
> emerge net-misc/openssh |
| 55 |
> |
| 56 |
> Manually: |
| 57 |
> |
| 58 |
> Download the new openssh package here and follow in file instructions: |
| 59 |
> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.1p1.tar.gz |
| 60 |
> |
| 61 |
>- -------------------------------------------------------------------------- |
| 62 |
>Ferry Meyndert |
| 63 |
>m0rpheus@g.o |
| 64 |
>- -------------------------------------------------------------------------- |
| 65 |
> |
| 66 |
> |
| 67 |
>On Thu, 07 Mar 2002 20:04:55 +0000 |
| 68 |
>Chris Davies <c.davies@×××××××.org> wrote: |
| 69 |
> |
| 70 |
>>Hi, |
| 71 |
>> |
| 72 |
>>I haven't seen anything in bugs or this list about this, so here is the |
| 73 |
>>news: |
| 74 |
>>CERT have issued an advisory about OpenSSH, the bug in question enables |
| 75 |
>>existing users to gain root privelidges. |
| 76 |
>>The advisory is here: http://www.pine.nl/advisories/pine-cert-20020301.txt |
| 77 |
>>The fix is to upgrade to the latest OpenSSH (3.1p1) ASAP. |
| 78 |
>>May I politely suggest that a new ebuild be constructed post-haste? :) |
| 79 |
>>Anyway, for those at risk, I have constructed an emergency ebuild and |
| 80 |
>>digest file, so you may upgrade immediately. |
| 81 |
>>The files can be found here: http://www.cdavies.org/gentoo/ |
| 82 |
>> |
| 83 |
>>Put the digest file in /usr/portage/net-misc/openssh/files and the |
| 84 |
>>ebuild in /usr/portage/net-misc/openssh and rerun emerge openssh. |
| 85 |
>> |
| 86 |
>>If anyone thinks it is worthwhile, I will also post this message to the |
| 87 |
>>gentoo users list, but at present I'm not going to do that. |
| 88 |
>>Thanks, |
| 89 |
>>C.Davies |
| 90 |
>>(c.davies@×××××××.org) |
| 91 |
>> |
| 92 |
>> |
| 93 |
>>_______________________________________________ |
| 94 |
>>gentoo-dev mailing list |
| 95 |
>>gentoo-dev@g.o |
| 96 |
>>http://lists.gentoo.org/mailman/listinfo/gentoo-dev |
| 97 |
>> |
| 98 |
>_______________________________________________ |
| 99 |
>gentoo-dev mailing list |
| 100 |
>gentoo-dev@g.o |
| 101 |
>http://lists.gentoo.org/mailman/listinfo/gentoo-dev |
| 102 |
> |
Archives