7705821 2001-12-20 17:47 +0100  /97 rader/ Trustix Secure Linux Advisor <tsl@trustix.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-20  23:46  av Brevbäraren
Extern mottagare: tsl-announce@trustix.org
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20234>
Ärende: TSL-2001-0030 - openssh (updated)
------------------------------------------------------------
From: Trustix Secure Linux Advisor <tsl@trustix.com>
To: tsl-announce@trustix.org
Cc: bugtraq@securityfocus.com
Message-ID: <20011220164732.GA9117@thunder.trustix.com>

Note to moderator:  We had an error in the first packages created.
This is effectively the same advisory as the previous almost
identical one, but the MD5 sums are changed.  Sorry.

Erlend··
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2001-0030

Package name:      OpenSSH
Severity:          Local root exploit if UseLogin option enabled
Date:              2001-12-19
Affected versions: TSL 1.01, 1.1, 1.2, 1.5

- --------------------------------------------------------------------------

Problem description:
  A malicious local user can pass environment variables to the login
  process if the administrator enables the UseLogin option.  This can
  be abused to bypass authentication and gain root access.
  Note that this option is not enabled by default on TSL.

  Updated:
  There was a file conflict in the packages in the original advisory.
  Packages are now fixed, and the MD5 sum is updated.


Action:
  We recommend that all systems with this package installed are upgraded.


Location:
  All TSL updates are available from
  <URI:http://www.trustix.net/pub/Trustix/updates/>
  <URI:ftp://ftp.trustix.net/pub/Trustix/updates/>


Automatic updates:
  Users of the SWUP tool, can enjoy having updates automatically
  installed using 'swup --upgrade'.

  Get SWUP from:
  <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.net/support/>


Verification:
  This advisory along with all TSL packages are signed with the TSL sign key.
  This key available from:
  <URI:http://www.trustix.net/TSL-GPG-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.net/errata/trustix-1.2/> and
  <URI:http://www.trustix.net/errata/trustix-1.5/>
  or directly at
  <URI:http://www.trustix.net/errata/misc/2001/TSL-2001-0030-openssh.asc.txt>

MD5sums of the packages:
- --------------------------------------------------------------------------
ca264cee029f32e7d91a879ae6d5983b  ./1.5/SRPMS/openssh-3.0.2p1-2tr.src.rpm
ba39a570c1681e0a90d288e0b0dadc72  ./1.5/RPMS/openssh-server-3.0.2p1-2tr.i586.rpm
069a436c78fc76137ff40c33eb8008ac  ./1.5/RPMS/openssh-clients-3.0.2p1-2tr.i586.rpm
599cffe859ce5baa8db1e0b8b07251dd  ./1.5/RPMS/openssh-3.0.2p1-2tr.i586.rpm
ca264cee029f32e7d91a879ae6d5983b  ./1.2/SRPMS/openssh-3.0.2p1-2tr.src.rpm
61f3e140c4b161a210ec6634b662c8bc  ./1.2/RPMS/openssh-server-3.0.2p1-2tr.i586.rpm
9c65dfdc3047d109448020a8505bc3c1  ./1.2/RPMS/openssh-clients-3.0.2p1-2tr.i586.rpm
6f532429e948a93cea48a7f28d1fbd54  ./1.2/RPMS/openssh-3.0.2p1-2tr.i586.rpm
ca264cee029f32e7d91a879ae6d5983b  ./1.1/SRPMS/openssh-3.0.2p1-2tr.src.rpm
76cfc275b6aa5af4239dbcf0e7dc9424  ./1.1/RPMS/openssh-server-3.0.2p1-2tr.i586.rpm
295f6aca056e79f70469ed1bfd98fbba  ./1.1/RPMS/openssh-clients-3.0.2p1-2tr.i586.rpm
5aec4ff6dc5d9e3f2d6c990956e15c4f  ./1.1/RPMS/openssh-3.0.2p1-2tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8IhSqwRTcg4BxxS0RAjq/AJ4mBvh5PUUnhJ3N1UnotXujGCppoACeI1V1
6TdIChmxh256yrndQzDnaUI=
=0LWF
-----END PGP SIGNATURE-----
(7705821) /Trustix Secure Linux Advisor <tsl@trustix.com>/(Ombruten)