drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Preisgabe von Informationen in lsh-utils
Name: |
Preisgabe von Informationen in lsh-utils |
|
ID: |
DSA-956-1 |
|
Distribution: |
Debian |
|
Plattformen: |
Debian sarge |
|
Datum: |
Do, 26. Januar 2006, 11:21 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0353 |
|
Applikationen: |
lsh |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- -------------------------------------------------------------------------- Debian Security Advisory DSA 956-1 security@debian.org http://www.debian.org/security/ Martin Schulze January 26th, 2006 http://www.debian.org/security/faq - --------------------------------------------------------------------------
Package : lsh-utils Vulnerability : filedescriptor leak Problem type : local Debian-specific: no CVE ID : CVE-2006-0353 Debian Bug : 349303
Stefan Pfetzing discovered that lshd, a Secure Shell v2 (SSH2) protocol server, leaks a couple of file descriptors, related to the randomness generator, to user shells which are started by lshd. A local attacker can truncate the server's seed file, which may prevent the server from starting, and with some more effort, maybe also crack session keys.
After applying this update, you should remove the server's seed file (/var/spool/lsh/yarrow-seed-file) and then regenerate it with "lsh-make-seed --server" as root.
For security reasons, lsh-make-seed really needs to be run from the console of the system you are running it on. If you run lsh-make-seed using a remote shell, the timing information lsh-make-seed uses for its random seed creation is likely to be screwed. If need be, you can generate the random seed on a different system than that which it will eventually be on, by installing the lsh-utils package and running "lsh-make-seed -o my-other-server-seed-file". You may then transfer the seed to the destination system as using a secure connection.
The old stable distribution (woody) may not be affected by this problem.
For the stable distribution (sarge) this problem has been fixed in version 2.0.1-3sarge1.
For the unstable distribution (sid) this problem has been fixed in version 2.0.1cdbs-4.
We recommend that you upgrade your lsh-server package.
Upgrade Instructions - --------------------
wget url will fetch the file for you dpkg -i file.deb will install the referenced file.
If you are using the apt-get package manager, use the line for sources.list as given below:
apt-get update will update the internal database apt-get upgrade will install corrected packages
You may use an automated update by adding the resources from the footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge - --------------------------------
Source archives:
lsh-utils_2.0.1-3sarge1.dsc Size/MD5 checksum: 827 27a08dea0eb4d51595d12325dd2dc9b9 lsh-utils_2.0.1-3sarge1.diff.gz Size/MD5 checksum: 65643 ce143cd95c98d22be17702cfa7d00883 lsh-utils_2.0.1.orig.tar.gz Size/MD5 checksum: 1866063 25ca0b4385779de3d58d2d5757f495c3
Architecture independent components:
lsh-utils-doc_2.0.1-3sarge1_all.deb Size/MD5 checksum: 167108 8a72fcaeee3a9e87bb2f596790e0ed0d
Alpha architecture:
lsh-client_2.0.1-3sarge1_alpha.deb Size/MD5 checksum: 401168 b3c017e4498e57576f75c8c6a4141bd1 lsh-server_2.0.1-3sarge1_alpha.deb Size/MD5 checksum: 338576 573bddb6eaf7a2488199c4559aae3c29 lsh-utils_2.0.1-3sarge1_alpha.deb Size/MD5 checksum: 1024694 db2d07041589921cea746b35970448c9
ARM architecture:
lsh-client_2.0.1-3sarge1_arm.deb Size/MD5 checksum: 295730 dbbf6d2c5a9a78d8757536c0a91c12b1 lsh-server_2.0.1-3sarge1_arm.deb Size/MD5 checksum: 263990 524f432ff03e1e4e0de80868b5251dc1 lsh-utils_2.0.1-3sarge1_arm.deb Size/MD5 checksum: 751640 662e1c293a3ad6ee830e0c154899a5e3
Intel IA-32 architecture:
lsh-client_2.0.1-3sarge1_i386.deb Size/MD5 checksum: 300088 5038534a8bf05c1afe3b6a02d949d19e lsh-server_2.0.1-3sarge1_i386.deb Size/MD5 checksum: 265836 6236889e8e52a65e3302a9cde882b46d lsh-utils_2.0.1-3sarge1_i386.deb Size/MD5 checksum: 746754 a8608dc7abfb61b37b49985d6914939d
Intel IA-64 architecture:
lsh-client_2.0.1-3sarge1_ia64.deb Size/MD5 checksum: 447126 6e6ea9ed0b40b44f6a77de4bff109d15 lsh-server_2.0.1-3sarge1_ia64.deb Size/MD5 checksum: 374070 9c7aea3671804cbd9e67c621aa08ae11 lsh-utils_2.0.1-3sarge1_ia64.deb Size/MD5 checksum: 1164462 e73a3d57a099a72d436f071d8666c41f
HP Precision architecture:
lsh-client_2.0.1-3sarge1_hppa.deb Size/MD5 checksum: 343638 de455b0e097e6702ada6deaaf8803898 lsh-server_2.0.1-3sarge1_hppa.deb Size/MD5 checksum: 295558 225a99b05fafbe38ecba5ed54ae56997 lsh-utils_2.0.1-3sarge1_hppa.deb Size/MD5 checksum: 868638 79878de6808ade34d2551aae99f9cd7b
Motorola 680x0 architecture:
lsh-client_2.0.1-3sarge1_m68k.deb Size/MD5 checksum: 272632 01605d69846557dfc5b2d3f802eeb9c2 lsh-server_2.0.1-3sarge1_m68k.deb Size/MD5 checksum: 244748 ae046120b9001ef2109b83ae014e7206 lsh-utils_2.0.1-3sarge1_m68k.deb Size/MD5 checksum: 669880 1ba0c5ea28762faaaffebf763666c7b9
Big endian MIPS architecture:
lsh-client_2.0.1-3sarge1_mips.deb Size/MD5 checksum: 352524 b760940edecb51c6f138f92ed79e1027 lsh-server_2.0.1-3sarge1_mips.deb Size/MD5 checksum: 305572 42622131e45e23460a40a168b22f2cdf lsh-utils_2.0.1-3sarge1_mips.deb Size/MD5 checksum: 886516 0a3a7d73e941ccb3d042a17ed91757e2
Little endian MIPS architecture:
lsh-client_2.0.1-3sarge1_mipsel.deb Size/MD5 checksum: 353328 3aae28d22cd30aa12f9cc1edcc3f1800 lsh-server_2.0.1-3sarge1_mipsel.deb Size/MD5 checksum: 306144 3d47e49fa2507587cb1d92992e593081 lsh-utils_2.0.1-3sarge1_mipsel.deb Size/MD5 checksum: 888880 0afea7b20d9dc5c12ca7cce15c74643f
PowerPC architecture:
lsh-client_2.0.1-3sarge1_powerpc.deb Size/MD5 checksum: 316982 d6bbece27b282748d90d5938a8111f21 lsh-server_2.0.1-3sarge1_powerpc.deb Size/MD5 checksum: 282628 9c7a4830a74bc90a5832e6160e1e082d lsh-utils_2.0.1-3sarge1_powerpc.deb Size/MD5 checksum: 809622 31709a65f368f7a068dcbdce4e1aff06
IBM S/390 architecture:
lsh-client_2.0.1-3sarge1_s390.deb Size/MD5 checksum: 343902 6f3d3524ce342b6a2497940d4bc4bb40 lsh-server_2.0.1-3sarge1_s390.deb Size/MD5 checksum: 297426 50e9c6e52e3c32c6a8597d2a0475b0d4 lsh-utils_2.0.1-3sarge1_s390.deb Size/MD5 checksum: 883990 8683782431b1e5e418265972c8877f81
Sun Sparc architecture:
lsh-client_2.0.1-3sarge1_sparc.deb Size/MD5 checksum: 292410 44c4c08694ffc59077c2f1fc1112d33f lsh-server_2.0.1-3sarge1_sparc.deb Size/MD5 checksum: 262056 05063d13ff9e2b43a4e27e915507d932 lsh-utils_2.0.1-3sarge1_sparc.deb Size/MD5 checksum: 751050 a2f59d44ed6b8c7759a240f491416b63
These files will probably be moved into the stable distribution on its next update.
- --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-securitydists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD2JyEW5ql+IAeqTIRAu0fAJ0WMDlQVhbRbhrcSrAuiUj4j90O8QCfdYk1 6rqtIi+KngdWs13koD38FKg= =N+D1 -----END PGP SIGNATURE-----
-- To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|
|
|
|