-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Linux: REVISED: OpenSSH ticket and token passing buffer overflow Advisory number: CSSA-2002-022.2 Issue date: 2002 May 31 Cross reference: ______________________________________________________________________________ 1. Problem Description A buffer overflow exists in OpenSSH if KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. A malicious user, possibly remote, could use this vulnerability to gain privileged access to the system. The previous several updates of openSSH have had erroneous version numbers. We have decided to release the latest version of openSSH (3.2.3), instead of trying to bring the current version (2.9.9) up to date. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to openssh-3.2.3p1-2.i386.rpm prior to openssh-askpass-3.2.3p1-2.i386.rpm prior to openssh-server-3.2.3p1-2.i386.rpm OpenLinux 3.1.1 Workstation prior to openssh-3.2.3p1-2.i386.rpm prior to openssh-askpass-3.2.3p1-2.i386.rpm prior to openssh-server-3.2.3p1-2.i386.rpm OpenLinux 3.1 Server prior to openssh-3.2.3p1-2.i386.rpm prior to openssh-askpass-3.2.3p1-2.i386.rpm prior to openssh-server-3.2.3p1-2.i386.rpm OpenLinux 3.1 Workstation prior to openssh-3.2.3p1-2.i386.rpm prior to openssh-askpass-3.2.3p1-2.i386.rpm prior to openssh-server-3.2.3p1-2.i386.rpm 3. Solution The proper solution is to install the latest packages. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS 4.2 Packages 8b0a12d11ab1aae416b447150417e215 openssh-3.2.3p1-2.i386.rpm bebfc9ceb41069ceb7fa465417a11545 openssh-askpass-3.2.3p1-2.i386.rpm 2e45900b925a2d6735e804141c219947 openssh-server-3.2.3p1-2.i386.rpm 4.3 Installation rpm -Fvh openssh-3.2.3p1-2.i386.rpm rpm -Fvh openssh-askpass-3.2.3p1-2.i386.rpm rpm -Fvh openssh-server-3.2.3p1-2.i386.rpm 4.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS 4.5 Source Packages a2b90c09e76d3d025c67fa7d3f5416d3 openssh-3.2.3p1-2.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS 5.2 Packages 73daca03946a1ded2f70e033f30002fe openssh-3.2.3p1-2.i386.rpm 0c47a7427efa307fc671608a02965e26 openssh-askpass-3.2.3p1-2.i386.rpm 1fbbc843259150088a1351ff03762c46 openssh-server-3.2.3p1-2.i386.rpm 5.3 Installation rpm -Fvh openssh-3.2.3p1-2.i386.rpm rpm -Fvh openssh-askpass-3.2.3p1-2.i386.rpm rpm -Fvh openssh-server-3.2.3p1-2.i386.rpm 5.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS 5.5 Source Packages 5d2283d5260e898d78aae2efdf4eeca9 openssh-3.2.3p1-2.src.rpm 6. OpenLinux 3.1 Server 6.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS 6.2 Packages 576beaa523b0e752c1756b6283bd9b70 openssh-3.2.3p1-2.i386.rpm a0b034c8235a0f46d3878d7f68b35335 openssh-askpass-3.2.3p1-2.i386.rpm ae46ce85ea292e6100e848937ac615b3 openssh-server-3.2.3p1-2.i386.rpm 6.3 Installation rpm -Fvh openssh-3.2.3p1-2.i386.rpm rpm -Fvh openssh-askpass-3.2.3p1-2.i386.rpm rpm -Fvh openssh-server-3.2.3p1-2.i386.rpm 6.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS 6.5 Source Packages f430558567f4bfca1560d29befcc0322 openssh-3.2.3p1-2.src.rpm 7. OpenLinux 3.1 Workstation 7.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS 7.2 Packages 4c9d35ddca2023187e418bffae70fce1 openssh-3.2.3p1-2.i386.rpm 3103ee17d286b2c85d2f93376ebad965 openssh-askpass-3.2.3p1-2.i386.rpm 4a0926190f4818e908c22abed8268e9a openssh-server-3.2.3p1-2.i386.rpm 7.3 Installation rpm -Fvh openssh-3.2.3p1-2.i386.rpm rpm -Fvh openssh-askpass-3.2.3p1-2.i386.rpm rpm -Fvh openssh-server-3.2.3p1-2.i386.rpm 7.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS 7.5 Source Packages 6f22760d5fc6dfa2227772e0f51ffc9e openssh-3.2.3p1-2.src.rpm 8. References Specific references for this advisory: none Caldera OpenLinux security resources: http://www.caldera.com/support/security/index.html Caldera UNIX security resources: http://stage.caldera.com/support/security/ This security fix closes Caldera incidents sr863642, fz520794 and erg712034. 9. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera products. 10. Acknowledgements Marcell Fodor discovered and researched this vulnerability. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjz4EQoACgkQbluZssSXDTHJfQCePLcf8omE/l8kBOyvu6N/mLcg EVgAoNsqKBni4LHT91SAalXPwQuBIjbm =W83X -----END PGP SIGNATURE-----