[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Mandriva] Schwachstelle in OpenSSH - MDKSA-2006:204



-----BEGIN PGP SIGNED MESSAGE-----

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Advisory von Mandriva Security. Wir
geben diese Informationen unveraendert an Sie weiter.

CVE-2006-5794 - Schwachstelle in der Signaturueberpruefung von OpenSSH

  In OpenSSH wurde eine Schwachstelle entdeckt, welche von einem
  Angreifer ausgenutzt werden kann, um Sicherheitsueberpruefungen zu
  umgehen. Der Fehler besteht in der Funktion "monitor_child_preauth()"
  und fuehrt dazu, dass bestimmte Signaturen nicht richtig ueberprueft
  werden. Die Schwachstelle ist nur in Verbindung mit anderen
  Schwachstellen ausnutzbar.

Betroffen sind die folgenden Software Pakete und Plattformen:

  Paket openssh

  Mandriva 2006.0
  Mandriva 2007.0
  Mandriva Corporate 3.0
  Mandriva Corporate 4.0
  Mandriva Multi Network Firewall 2.0

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  http://www.mandriva.com/security/advisories?name=MDKSA-2006:204


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
                Klaus Moeller, DFN-CERT Services GmbH



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2006:204
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : openssh
 Date    : November 8, 2006
 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 A vulnerability in the privilege separation functionality in OpenSSH
 was discovered, caused by an incorrect checking for bad signatures in
 sshd's privsep monitor.  As a result, the monitor and the unprivileged
 process can get out sync.  The OpenSSH team indicated that this bug is
 not known to be exploitable in the abence of additional
 vulnerabilities.

 Updated packages have been patched to correct this issue, and Mandriva
 Linux 2007 has received the latest version of OpenSSH.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5794
 http://www.openssh.com/txt/release-4.5
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 97d55a01498ae859817c236d6be17bb5  2006.0/i586/openssh-4.3p1-0.4.20060mdk.i586.rpm
 a47c9f8361c91de4c97b827171f379be  2006.0/i586/openssh-askpass-4.3p1-0.4.20060mdk.i586.rpm
 6a18e82f1251073d4f17bcb653a8da4a  2006.0/i586/openssh-askpass-gnome-4.3p1-0.4.20060mdk.i586.rpm
 36995045f95028848691226a3624d701  2006.0/i586/openssh-clients-4.3p1-0.4.20060mdk.i586.rpm
 598feb16c5b77c20b8d8e364a6d0a83e  2006.0/i586/openssh-server-4.3p1-0.4.20060mdk.i586.rpm 
 3c4642aa46959520d6374c5dd55c2488  2006.0/SRPMS/openssh-4.3p1-0.4.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 d5d932876aab273d0734de9a156f3514  2006.0/x86_64/openssh-4.3p1-0.4.20060mdk.x86_64.rpm
 4d921a0e4c743b78824c100e49480a43  2006.0/x86_64/openssh-askpass-4.3p1-0.4.20060mdk.x86_64.rpm
 79d975ab47eb58aa39350d0cb56a3507  2006.0/x86_64/openssh-askpass-gnome-4.3p1-0.4.20060mdk.x86_64.rpm
 52eb00190b757e7ca842fad40e34cdec  2006.0/x86_64/openssh-clients-4.3p1-0.4.20060mdk.x86_64.rpm
 25bb2488c0c460ca2ee28814b5902d6f  2006.0/x86_64/openssh-server-4.3p1-0.4.20060mdk.x86_64.rpm 
 3c4642aa46959520d6374c5dd55c2488  2006.0/SRPMS/openssh-4.3p1-0.4.20060mdk.src.rpm

 Mandriva Linux 2007.0:
 685ed779bc6e5b069456c1a1ec3cbde0  2007.0/i586/openssh-4.5p1-0.1mdv2007.0.i586.rpm
 22384a44c965285f8077624d7d35c2aa  2007.0/i586/openssh-askpass-4.5p1-0.1mdv2007.0.i586.rpm
 eb05d1b12e62a590d6a627ea9a058a1a  2007.0/i586/openssh-askpass-common-4.5p1-0.1mdv2007.0.i586.rpm
 31de85b9ec2be0990e03f0e52350a826  2007.0/i586/openssh-askpass-gnome-4.5p1-0.1mdv2007.0.i586.rpm
 9a17d425bdd1e7d62ecc96dccbb25aaf  2007.0/i586/openssh-clients-4.5p1-0.1mdv2007.0.i586.rpm
 d93dc4b53d3e9a683dc5878ae5bf3139  2007.0/i586/openssh-server-4.5p1-0.1mdv2007.0.i586.rpm 
 48dfb1f18e3a82ba39fc5dcdbc98ac9b  2007.0/SRPMS/openssh-4.5p1-0.1mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 083b3ffdb875a5f053c41bc8913b9bea  2007.0/x86_64/openssh-4.5p1-0.1mdv2007.0.x86_64.rpm
 3e096fa50c7440c76f748c9d6c76f551  2007.0/x86_64/openssh-askpass-4.5p1-0.1mdv2007.0.x86_64.rpm
 a0b32fd47e7b00b3240ae94a3e555915  2007.0/x86_64/openssh-askpass-common-4.5p1-0.1mdv2007.0.x86_64.rpm
 8c200957e509389151a07b56b2a1b9d2  2007.0/x86_64/openssh-askpass-gnome-4.5p1-0.1mdv2007.0.x86_64.rpm
 cb15557e3e324dfd9a4c4739f2513989  2007.0/x86_64/openssh-clients-4.5p1-0.1mdv2007.0.x86_64.rpm
 0a4aedec1aee0c6449eb4258e98417ab  2007.0/x86_64/openssh-server-4.5p1-0.1mdv2007.0.x86_64.rpm 
 48dfb1f18e3a82ba39fc5dcdbc98ac9b  2007.0/SRPMS/openssh-4.5p1-0.1mdv2007.0.src.rpm

 Corporate 3.0:
 55fdb58d443f991360f2f650c55be459  corporate/3.0/i586/openssh-4.3p1-0.3.C30mdk.i586.rpm
 49862cc132762967617b68eb04a7227b  corporate/3.0/i586/openssh-askpass-4.3p1-0.3.C30mdk.i586.rpm
 ef5f7e7432c6545e2ed5b652db791347  corporate/3.0/i586/openssh-askpass-gnome-4.3p1-0.3.C30mdk.i586.rpm
 74f630bf4cabda7c0e74d8dcddb2df96  corporate/3.0/i586/openssh-clients-4.3p1-0.3.C30mdk.i586.rpm
 1a59b176b78cd8a042847f91c94e34e7  corporate/3.0/i586/openssh-server-4.3p1-0.3.C30mdk.i586.rpm 
 4e683f1e7cf9a3f00ac6792e661184bb  corporate/3.0/SRPMS/openssh-4.3p1-0.3.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 53994a4dca0377a152eef5b7b1824db6  corporate/3.0/x86_64/openssh-4.3p1-0.3.C30mdk.x86_64.rpm
 09832364e0f432cd254b3ed53876b9c7  corporate/3.0/x86_64/openssh-askpass-4.3p1-0.3.C30mdk.x86_64.rpm
 ba54af4f6d57353cf07ead346ef0a66e  corporate/3.0/x86_64/openssh-askpass-gnome-4.3p1-0.3.C30mdk.x86_64.rpm
 0a3351846f58a6f59def15b93ac75463  corporate/3.0/x86_64/openssh-clients-4.3p1-0.3.C30mdk.x86_64.rpm
 c5afc0df524e025b6a1f685dd5475d85  corporate/3.0/x86_64/openssh-server-4.3p1-0.3.C30mdk.x86_64.rpm 
 4e683f1e7cf9a3f00ac6792e661184bb  corporate/3.0/SRPMS/openssh-4.3p1-0.3.C30mdk.src.rpm

 Corporate 4.0:
 91b64f8c6354fe0dac3bbc45412a90cb  corporate/4.0/i586/openssh-4.3p1-0.4.20060mlcs4.i586.rpm
 f894df39703e3526828d40b87905c900  corporate/4.0/i586/openssh-askpass-4.3p1-0.4.20060mlcs4.i586.rpm
 981aa54d8a6ad3ed6f350f6871c61edc  corporate/4.0/i586/openssh-askpass-gnome-4.3p1-0.4.20060mlcs4.i586.rpm
 77c2c6eecd5d45d9e1f2f9ca39e8d54d  corporate/4.0/i586/openssh-clients-4.3p1-0.4.20060mlcs4.i586.rpm
 feb3958987ee69997170c5464bd596ac  corporate/4.0/i586/openssh-server-4.3p1-0.4.20060mlcs4.i586.rpm 
 5f958b84f60ef962b84a4f46b6d80424  corporate/4.0/SRPMS/openssh-4.3p1-0.4.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 16c2fea9fa550b9827e619b43b731bdd  corporate/4.0/x86_64/openssh-4.3p1-0.4.20060mlcs4.x86_64.rpm
 3b1de1edad9666fe782736f32c450104  corporate/4.0/x86_64/openssh-askpass-4.3p1-0.4.20060mlcs4.x86_64.rpm
 351b0c9655f7d516a608376620d93aa8  corporate/4.0/x86_64/openssh-askpass-gnome-4.3p1-0.4.20060mlcs4.x86_64.rpm
 487f7c3948e58b0e5e03a1b419b6a339  corporate/4.0/x86_64/openssh-clients-4.3p1-0.4.20060mlcs4.x86_64.rpm
 a03b7d99254a22c05c3e6043c5e82e94  corporate/4.0/x86_64/openssh-server-4.3p1-0.4.20060mlcs4.x86_64.rpm 
 5f958b84f60ef962b84a4f46b6d80424  corporate/4.0/SRPMS/openssh-4.3p1-0.4.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 2c2cd66daadd721d7065112d66b1ed98  mnf/2.0/i586/openssh-4.3p1-0.3.M20mdk.i586.rpm
 ab6d7afa2944fdf1e38ca76e2ee7484c  mnf/2.0/i586/openssh-askpass-4.3p1-0.3.M20mdk.i586.rpm
 246f480977cacf68ee80ef51d5ecc577  mnf/2.0/i586/openssh-askpass-gnome-4.3p1-0.3.M20mdk.i586.rpm
 3e98575c58f023e11733fddd0c8ec459  mnf/2.0/i586/openssh-clients-4.3p1-0.3.M20mdk.i586.rpm
 9ba7ab6f44be202d16377cd04f1eb69e  mnf/2.0/i586/openssh-server-4.3p1-0.3.M20mdk.i586.rpm 
 f2c5acde98d371f1efb858a9c3d07da8  mnf/2.0/SRPMS/openssh-4.3p1-0.3.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFFUlOJmqjQ0CJFipgRArC5AJ0e2uIQUZjyf4Mqo7gAmIE1o1Fh0ACfVwSo
72A6UAQ1pI3kHD7stEduBso=
=woyj
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBRVMCtPBT2+ukQ5RFAQEjjwf/ZHpxmuddXH3hj+2QQ0wxmh0UWtIUVLy/
ffT/Ig2idosoQtTyxNiWmARhwhWr6hRlAqwgjP/ZziFMDsxF95GsZtQvnD48zBez
DpOow+DXi8YOutBsZXpUK49xBoHWEWsJPTNELBnYHSA2EVtWv9C+aoNtw3bFIiSU
BdxwGmNiyx4z+GgWq6f4C3tNVyoUaqrxeZwPD+ZQjTkwoRfmB3vd3vCj68vS5wzH
sBvbAMernUHIN69lTDMuxYqhmyhmJKA7kQr3vn0p70r8luSS0dEqW+QnoukBy+39
Uzb4HcC3mSbo2EYT5B0DiVwWLsYuKQmbkZ5Y1FnxHs4lKItc3eOcqA==
=baO+
-----END PGP SIGNATURE-----