Date: Wed, 6 Aug 2003 15:40:05 +0200
From: OpenPKG <[email protected]>
To: [email protected]Subject: [OpenPKG-SA-2003.035] OpenPKG Security Advisory (openssh)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.htmlhttp://www.openpkg.org[email protected][email protected]
OpenPKG-SA-2003.035 06-Aug-2003
________________________________________________________________________
Package: openssh
Vulnerability: information leakage
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= openssh-3.6.1p1-20030423 >= openssh-3.6.1p2-20030429
OpenPKG 1.3 none N.A.
OpenPKG 1.2 <= openssh-3.5p1-1.2.1 >= openssh-3.5p1-1.2.2
Dependent Packages: none
Description:
According to a Mediaservice.net security advisory [0], an information
leakage exists in OpenSSH [1] 3.6.1p1 and earlier if PAM support
is enabled. When a user does not exists, an error message is sent
immediately (without any delays) which allows remote attackers to
determine valid usernames via a timing attack. OpenPKG installations
are only affected if the package was build with option "with_pam"
set to "yes" -- which is not the default. The Common Vulnerabilities
and Exposures (CVE) project assigned the id CAN-2003-0190 [2] to the
problem.
We could only reproduce the problem on Linux. FreeBSD and Solaris are
not vulnerable, the patch does not affect their behaviour. However,
the problem is related to the PAM configuration, not the operating
system. Using a non-default configuration might leak information on
other operating systems, too. On Linux systems, a valid workaround is
to add a "nodelay" option to the pam_unix.so auth.
Please check whether you are affected by running "<prefix>/bin/rpm -q
openssh". If you have the "openssh" package installed and its version
is affected (see above), we recommend that you immediately upgrade it
(see Solution).
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[5], fetch it from the OpenPKG FTP service [6] or a mirror location,
verify its integrity [7], build a corresponding binary RPM from it [3]
and update your OpenPKG installation by applying the binary RPM [4].
For the current release OpenPKG 1.2, perform the following operations
to permanently fix the security problem (for other releases adjust
accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.2/UPD
ftp> get openssh-3.5p1-1.2.2.src.rpm
ftp> bye
$ <prefix>/bin/rpm -v --checksig openssh-3.5p1-1.2.2.src.rpm
$ <prefix>/bin/rpm --rebuild openssh-3.5p1-1.2.2.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/openssh-3.5p1-1.2.2.*.rpm
________________________________________________________________________
References:
[0] http://lab.mediaservice.net/advisory/2003-01-openssh.txt
[1] http://www.openssh.com/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190
[3] http://www.openpkg.org/tutorial.html#regular-source
[4] http://www.openpkg.org/tutorial.html#regular-binary
[5] ftp://ftp.openpkg.org/release/1.2/UPD/openssh-3.5p1-1.2.2.src.rpm
[6] ftp://ftp.openpkg.org/release/1.2/UPD/
[7] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <[email protected]>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <[email protected]>
iD8DBQE/MQR9gHWT4GPEy58RAiKkAKCpACytbxQN0ERLBbqNfmbZYYc59wCg6V33
XFH1dFEVD0jBbdBvvdIdIZM=
=GtfK
-----END PGP SIGNATURE-----
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from radio.rzs.ru (unknown [217.196.118.5])
by mc.tura.ru (Postfix) with ESMTP id 4230717F68
for <[email protected]>; Wed, 6 Aug 2003 21:56:47 +0600 (YEKST)
Received: (from root@localhost)
by radio.rzs.ru (8.11.3/8.11.3) id h76Fo0R02725;
Wed, 6 Aug 2003 21:50:00 +0600 (YEKST)
(envelope-from root)
Date: Wed, 6 Aug 2003 21:50:00 +0600 (YEKST)
Message-Id: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset="koi8-r"
Content-Transfer-Encoding: 8bit
To: [email protected]
From: MONITORING <[email protected]>
Subject: ALERT: httpd not found rzs.ru
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 *.2085 *.* LISTEN
tcp4 0 0 *.22 *.* LISTEN
tcp46 0 0 *.22 *.* LISTEN
tcp4 0 0 *.21 *.* LISTEN
udp4 0 0 *.514 *.*
udp6 0 0 *.514 *.*
Active UNIX domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
cc1cdfc0 dgram 0 0 cc1cc680 0 0 0 /var/run/log
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 2716 0.0 0.2 416 240 ?? R 9:50PM 0:00.00 ps auxwww
root 1 0.0 0.3 528 312 ?? ILs Tue09AM 0:00.22 /sbin/init --
root 2 0.0 0.0 0 0 ?? DL Tue09AM 0:00.18 (pagedaemon)
root 3 0.0 0.0 0 0 ?? DL Tue09AM 0:00.00 (vmdaemon)
root 4 0.0 0.0 0 0 ?? DL Tue09AM 0:00.86 (bufdaemon)
root 5 0.0 0.0 0 0 ?? DL Tue09AM 0:13.61 (syncer)
root 149 0.0 0.5 924 628 ?? Ss Tue09AM 0:01.51 syslogd -s
root 170 0.0 0.6 1040 760 ?? Is Tue09AM 0:00.00 inetd -wW
root 172 0.0 0.6 968 716 ?? Ss Tue09AM 0:01.53 /usr/sbin/cron
root 175 0.0 1.2 2484 1536 ?? Is Tue09AM 0:00.01 /usr/sbin/sshd
root 278 0.0 0.8 1324 940 v0 Is+ Tue09AM 0:00.10 -csh (csh)
root 280 0.0 0.5 936 636 v2 Is+ Tue09AM 0:00.00 /usr/libexec/getty Pc ttyv2
root 281 0.0 0.5 936 636 v3 Is+ Tue09AM 0:00.00 /usr/libexec/getty Pc ttyv3
root 282 0.0 0.5 936 636 v4 Is+ Tue09AM 0:00.00 /usr/libexec/getty Pc ttyv4
root 283 0.0 0.5 936 636 v5 Is+ Tue09AM 0:00.00 /usr/libexec/getty Pc ttyv5
root 284 0.0 0.5 936 636 v6 Is+ Tue09AM 0:00.00 /usr/libexec/getty Pc ttyv6
root 285 0.0 0.5 936 636 v7 Is+ Tue09AM 0:00.00 /usr/libexec/getty Pc ttyv7
root 1512 0.0 0.5 936 636 v1 Is+ Tue09AM 0:00.00 /usr/libexec/getty Pc ttyv1
chat 58545 0.0 3.2 4372 4040 ?? I 6:03AM 0:03.26 /home/chat/bin/entropychat.pl
radio 58814 0.0 0.9 1620 1064 ?? Ss 6:09AM 2:43.48 ./liveice -F /usr/local/icecast/conf/liveice.cfg -@ 2 -m
root 2683 0.0 0.6 984 728 ?? S 9:50PM 0:00.00 /usr/sbin/cron
root 2684 0.0 0.6 1036 784 ?? S 9:50PM 0:00.00 /usr/sbin/cron
root 2686 0.0 0.4 620 444 ?? Ss 9:50PM 0:00.00 /bin/sh -c /usr/local/icecast/bin/probe_live.sh 2>&1 >/dev/null
root 2687 0.0 0.4 620 444 ?? Ss 9:50PM 0:00.00 /bin/sh -c /etc/alertmon.pl
root 2689 0.0 3.1 4264 3840 ?? S 9:50PM 0:00.30 /usr/bin/perl /etc/alertmon.pl
root 2690 0.0 0.4 628 452 ?? S 9:50PM 0:00.01 /bin/sh /usr/local/icecast/bin/probe_live.sh
root 2711 0.0 1.7 2504 2076 ?? Ss 9:50PM 0:00.03 /usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t
root 2713 0.0 0.1 176 60 ?? S 9:50PM 0:00.00 sleep 5
root 2715 0.0 0.4 620 444 ?? S 9:50PM 0:00.00 sh -c (netstat -an; ps auxwww)
root 0 0.0 0.0 0 0 ?? DLs Tue09AM 0:00.06 (swapper)
