From: Enver ALTIN (ealtin@casdb.com)
Date: Fri 28 Jun 2002 - 23:01:57 EEST
-----Forwarded Message-----
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] New OpenSSH packages available
Date: 26 Jun 2002 13:45:48 -0700
New OpenSSH 3.4p1 packages providing privilege separation for improved
security are available for Slackware 7.1, 8.0, and 8.1. Here are the
details from the Slackware 8.1 ChangeLog:
----------------------------
Wed Jun 26 12:03:06 PDT 2002
patches/packages/openssh-3.4p1-i386-1.tgz: Upgraded to openssh-3.4p1.
This version enables privilege separation by default. The
README.privsep file says this about it:
Privilege separation, or privsep, is method in OpenSSH by which
operations that require root privilege are performed by a separate
privileged monitor process. Its purpose is to prevent privilege
escalation by containing corruption to an unprivileged process. More
information is available at:
http://www.citi.umich.edu/u/provos/ssh/privsep.html
Note that ISS has released an advisory on OpenSSH (OpenSSH Remote
Challenge Vulnerability). Slackware is not affected by this issue, as
we have never included AUTH_BSD, S/KEY, or PAM. Unless at least one of
these options is compiled into sshd, it is not vulnerable. Further note
that none of these options are turned on in a default build from source
code, so if you have built sshd yourself you should not be vulnerable
unless you've enabled one of these options.
Regardless, the security provided by privsep is unquestionably better.
This time we (Slackware) were lucky, but next time we might not be.
Therefore we recommend that all sites running the OpenSSH daemon (sshd,
enabled by default in Slackware 8.1) upgrade to this new openssh
package. After upgrading the package, restart the daemon like this:
/etc/rc.d/rc.sshd restart
We would like to thank Theo and the rest of the OpenSSH team for their
quick handling of this issue, Niels Provos and Markus Friedl for
implementing privsep, and Solar Designer for working out issues with
privsep on 2.2 Linux kernels.
----------------------------
The text of the ISS Advisory may be found here:
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584
WHERE TO FIND THE NEW PACKAGES:
-------------------------------
Updated OpenSSH package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssh-3.4p1-i386-1.tgz
Updated OpenSSH package for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/openssh.tgz
Updated OpenSSH package for Slackware 7.1:
ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/openssh.tgz
MD5 SIGNATURES:
---------------
Here are the md5sums for the packages:
Slackware 8.1:
bfd503d88144c62906deef4a1280f583 openssh-3.4p1-i386-1.tgz
Slackware 8.0:
a88c387e5261dd9ac90b113e85d054ed openssh.tgz
Slackware 7.1:
416b8e06b181ab01a975958a893688b3 openssh.tgz
INSTALLATION INSTRUCTIONS:
--------------------------
First upgrade the OpenSSH package:
# upgradepkg openssh-3.4p1-i386-1.tgz
Then, check the /etc/ssh/ directory where the new config files will be
installed as ssh_config.new and sshd_config.new. Most sites will want
to move these on top of the existing config files:
# mv ssh_config.new ssh_config
# mv sshd_config.new sshd_config
Finally, restart the sshd daemon:
# . /etc/rc.d/rc.sshd restart
- Slackware Linux Security Team
http://www.slackware.com
+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back. Follow the instructions to |
| complete the unsubscription. Do not reply to this message to |
| unsubscribe! |
+------------------------------------------------------------------------+
-- Enver (a.k.a. skyblue) - A potent hallucinogene-- Attached file included as plaintext by Ecartis -- -- File: signature.asc -- Desc: This is a digitally signed message part
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org
iD8DBQA9HMC1Z1V/Ii8KIB8RAgXpAJ9do+NduObjJSQ9a5eNBD7g29nN8wCfT0n9 D+XiVIWorthtjlpC23J8RUs= =MQgC -----END PGP SIGNATURE-----
----------------------------------------------------------------------- Liste üyeliğiniz ile ilgili her türlü işlem için http://liste.linux.org.tr adresindeki web arayüzünü kullanabilirsiniz.
Listeden çıkmak için: 'linux-guvenlik-request@linux.org.tr' adresine, "Konu" kısmında "unsubscribe" yazan bir e-posta gönderiniz. -----------------------------------------------------------------------