drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Unsichere Verwendung von /tmp in openssh
Name: |
Unsichere Verwendung von /tmp in openssh
|
|
ID: |
CSSA-2001-023.0 |
|
Distribution: |
Caldera |
|
Plattformen: |
Caldera eBuilder, Caldera eServer 2.3.1, Caldera Server 3.1, Caldera Workstation 3.1 |
|
Datum: |
Mi, 4. Juli 2001, 13:00 |
|
Referenzen: |
Keine Angabe |
|
Applikationen: |
Portable OpenSSH |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
______________________________________________________________________________ Caldera International, Inc. Security Advisory
Subject: Linux - openssh cookie file problem Advisory number: CSSA-2001-023.0 Issue date: 2001 July, 03 Cross reference: ______________________________________________________________________________
1. Problem Description
Due to unsafe temporary directory usage an local attacker could remove any file called 'cookies' on the system.
2. Vulnerable Versions
System Package ----------------------------------------------------------- OpenLinux 2.3 not vulnerable
OpenLinux eServer 2.3.1 All packages previous to and OpenLinux eBuilder openssh-2.9p2-3
OpenLinux eDesktop 2.4 not vulnerable
OpenLinux 3.1 Server All packages previous to openssh-2.9p2-3
OpenLinux 3.1 Workstation All packages previous to openssh-2.9p2-3
3. Solution
Workaround
none
The proper solution is to upgrade to the latest packages.
4. OpenLinux 2.3
not vulnerable
5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0
5.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS
5.2 Verification
34fbb2815f03c432492720d28f0db39d RPMS/openssh-2.9p2-3.i386.rpm ee99b7b586166416601b4a0d4f90164d RPMS/openssh-askpass-2.9p2-3.i386.rpm 66c4ccbc757c7fc3f0d9edd50ce4444b RPMS/openssh-server-2.9p2-3.i386.rpm f07dbad19313f6ae41329115ceda1bf4 SRPMS/openssh-2.9p2-3.src.rpm
5.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
/etc/rc.d/init.d/sshd stop rpm -Fvh openssh*.i386.rpm /etc/rc.d/init.d/sshd start
6. OpenLinux eDesktop 2.4
not vulnerable
7. OpenLinux 3.1 Server
7.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS
7.2 Verification
af280d6cc5b6fb7d9f9be1511bd4aa40 RPMS/openssh-2.9p2-3.i386.rpm 346dfd71190bbbe59d4ae0bc2f582011 RPMS/openssh-askpass-2.9p2-3.i386.rpm 6fadeb3261714e130ccd0d69d40871a1 RPMS/openssh-server-2.9p2-3.i386.rpm f07dbad19313f6ae41329115ceda1bf4 SRPMS/openssh-2.9p2-3.src.rpm
7.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh openssh*i386.rpm
or start kcupdate, the Caldera OpenLinux Update Manager.
8. OpenLinux 3.1 Workstation
8.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS
8.2 Verification
af280d6cc5b6fb7d9f9be1511bd4aa40 RPMS/openssh-2.9p2-3.i386.rpm 346dfd71190bbbe59d4ae0bc2f582011 RPMS/openssh-askpass-2.9p2-3.i386.rpm 6fadeb3261714e130ccd0d69d40871a1 RPMS/openssh-server-2.9p2-3.i386.rpm f07dbad19313f6ae41329115ceda1bf4 SRPMS/openssh-2.9p2-3.src.rpm
8.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh openssh*i386.rpm
or start kcupdate, the Caldera OpenLinux Update Manager.
9. References
This and other Caldera security resources are located at:
http://www.caldera.com/support/security/index.html
This security fix closes Caldera's internal Problem Reports 10114 and 10157.
10.Disclaimer
Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux.
11.Acknowledgements
Caldera International wishes to thank zen-parse for reporting this problem and the OpenSSH folks for providing a timely fix. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org
iD8DBQE7Qcmw18sy83A/qfwRAitUAJ48NSL6X6fpVr9hXXv8tAJ21EXCbgCgpcLt D6Cqe0VDor5g/SiY8ZDYsT8= =4ZXh -----END PGP SIGNATURE-----
--------------------------------------------------------------------- To unsubscribe, e-mail: announce-unsubscribe@lists.caldera.com For additional commands, e-mail: announce-help@lists.caldera.com
|
|
|
|