1 |
Hi, |
2 |
|
3 |
Yep. Noticed that a few minutes after I sent the e-mail. I must have |
4 |
done my rsync before this package was added. |
5 |
My Bad. |
6 |
Thanks, |
7 |
C.Davies |
8 |
(c.davies@×××××××.org) |
9 |
|
10 |
Ferry Meyndert wrote: |
11 |
|
12 |
>Its allready fixed in gentoo here is a copy of the anouncement send to the anouncement list. |
13 |
>- -------------------------------------------------------------------------- |
14 |
>GENTOO LINUX SECURITY ANNOUNCEMENT |
15 |
>- -------------------------------------------------------------------------- |
16 |
> |
17 |
>PACKAGE :openssh |
18 |
>SUMMARY :vulnerable to a off-by-one error in the channel code |
19 |
>DATE :2002-04-7 18:02:00 |
20 |
> |
21 |
>- -------------------------------------------------------------------------- |
22 |
> |
23 |
>OVERVIEW |
24 |
> |
25 |
> |
26 |
> A bug exists in the channel code of OpenSSH versions 2.0 - 3.0.2 |
27 |
> Users with an existing user account can abuse this bug to |
28 |
> gain root privileges. Exploitability without an existing |
29 |
> user account has not been proven but is not considered |
30 |
> impossible. A malicious ssh server could also use this bug |
31 |
> to exploit a connecting vulnerable client. |
32 |
> |
33 |
> |
34 |
>DETAIL |
35 |
> |
36 |
> http://www.pine.nl/advisories/pine-cert-20020301.txt |
37 |
> |
38 |
> |
39 |
>SOLUTION |
40 |
> |
41 |
> |
42 |
> It is recommended that all openssh users apply the update |
43 |
> |
44 |
> Portage Auto: |
45 |
> |
46 |
> emerge rsync |
47 |
> emerge update |
48 |
> emerge update --world |
49 |
> |
50 |
> |
51 |
> Portage by hand: |
52 |
> |
53 |
> emerge rsync |
54 |
> emerge net-misc/openssh |
55 |
> |
56 |
> Manually: |
57 |
> |
58 |
> Download the new openssh package here and follow in file instructions: |
59 |
> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.1p1.tar.gz |
60 |
> |
61 |
>- -------------------------------------------------------------------------- |
62 |
>Ferry Meyndert |
63 |
>m0rpheus@g.o |
64 |
>- -------------------------------------------------------------------------- |
65 |
> |
66 |
> |
67 |
>On Thu, 07 Mar 2002 20:04:55 +0000 |
68 |
>Chris Davies <c.davies@×××××××.org> wrote: |
69 |
> |
70 |
>>Hi, |
71 |
>> |
72 |
>>I haven't seen anything in bugs or this list about this, so here is the |
73 |
>>news: |
74 |
>>CERT have issued an advisory about OpenSSH, the bug in question enables |
75 |
>>existing users to gain root privelidges. |
76 |
>>The advisory is here: http://www.pine.nl/advisories/pine-cert-20020301.txt |
77 |
>>The fix is to upgrade to the latest OpenSSH (3.1p1) ASAP. |
78 |
>>May I politely suggest that a new ebuild be constructed post-haste? :) |
79 |
>>Anyway, for those at risk, I have constructed an emergency ebuild and |
80 |
>>digest file, so you may upgrade immediately. |
81 |
>>The files can be found here: http://www.cdavies.org/gentoo/ |
82 |
>> |
83 |
>>Put the digest file in /usr/portage/net-misc/openssh/files and the |
84 |
>>ebuild in /usr/portage/net-misc/openssh and rerun emerge openssh. |
85 |
>> |
86 |
>>If anyone thinks it is worthwhile, I will also post this message to the |
87 |
>>gentoo users list, but at present I'm not going to do that. |
88 |
>>Thanks, |
89 |
>>C.Davies |
90 |
>>(c.davies@×××××××.org) |
91 |
>> |
92 |
>> |
93 |
>>_______________________________________________ |
94 |
>>gentoo-dev mailing list |
95 |
>>gentoo-dev@g.o |
96 |
>>http://lists.gentoo.org/mailman/listinfo/gentoo-dev |
97 |
>> |
98 |
>_______________________________________________ |
99 |
>gentoo-dev mailing list |
100 |
>gentoo-dev@g.o |
101 |
>http://lists.gentoo.org/mailman/listinfo/gentoo-dev |
102 |
> |