Login
Newsletter
Werbung

Sicherheit: Unautorisierte Verwendung von X-Weiterleitungen in openssh
Aktuelle Meldungen Distributionen
Name: Unautorisierte Verwendung von X-Weiterleitungen in openssh
ID: TLSA-2008-14
Distribution: TurboLinux
Plattformen: Turbolinux FUJI, Turbolinux 10 Server, Turbolinux 10 Server x64 Edition, Turbolinux Appliance Server 2.0, Turbolinux 11 Server x64 Edition, Turbolinux 11 Server, Turbolinux Multimedia, Turbolinux Personal, Turbolinux Appliance Server 1.0 Hosting Edition, Turbolinux Appliance Server 1.0 Workgroup Edition
Datum: Do, 17. April 2008, 03:50
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483
Applikationen: Portable OpenSSH

Originalnachricht

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

--------------------------------------------------------------------------
Turbolinux Security Advisory TLSA-2008-14
http://www.turbolinux.co.jp/security/
security-team@turbolinux.co.jp
--------------------------------------------------------------------------

Original released date: 16 Apr 2008
Last revised: 16 Apr 2008

Package: openssh

Summary: Hijack forwarded X connections

More information:
Ssh (Secure Shell) a program for logging into a remote machine and for
executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.

OpenSSH 4.3p2, and probably other versions, allows local users to hijack
forwarded X connections by causing ssh to set DISPLAY to :10,
even when another process is listening on the associated port,
as demonstrated by opening TCP port 6010 (IPv4) and sniffing
a cookie sent by Emacs. (CVE-2008-1483)

Affected Products:
- Turbolinux 11 Server x64 Edition
- Turbolinux 11 Server
- Turbolinux Appliance Server 2.0
- Turbolinux FUJI
- Turbolinux 10 Server x64 Edition
- Turbolinux Appliance Server 1.0 Hosting Edition
- Turbolinux Appliance Server 1.0 Workgroup Edition
- Turbolinux 10 Server
- Turbolinux Multimedia
- Turbolinux Personal


<Turbolinux 11 Server x64 Edition>

openssh-4.7p1-5.src.rpm
1044751 9d811a1d12440d8e2800cb49c19ee556

Binary Packages
Size: MD5

openssh-4.7p1-5.x86_64.rpm
281793 e2974ee62a3e17daacf93f75f0c15b7f
openssh-askpass-4.7p1-5.x86_64.rpm
40130 53f56e2d7ce96581e8e3c65260801977
openssh-clients-4.7p1-5.x86_64.rpm
304513 fc1e023094bcc1c79afc9795b4123d2c
openssh-server-4.7p1-5.x86_64.rpm
311108 43ed7d4e1d0465f86c22dc9d5604beb2

<Turbolinux 11 Server>

openssh-4.7p1-5.src.rpm
1044751 9d811a1d12440d8e2800cb49c19ee556

Binary Packages
Size: MD5

openssh-4.7p1-5.i686.rpm
264124 5c9599252caae7f4efd8892a3fc26e14
openssh-askpass-4.7p1-5.i686.rpm
37683 4b1a040c8f6fbcc2639c668375a56ea1
openssh-clients-4.7p1-5.i686.rpm
277692 ee06322eaf16a5524e70405cfd5e8ad5
openssh-server-4.7p1-5.i686.rpm
279930 0d55c476f55b073c49d2e72b14f84fd4

<Turbolinux Appliance Server 2.0>

Source Packages
Size: MD5

openssh-3.9p1-11.src.rpm
912775 899a450aef79c7c4351a14ee7136a716

Binary Packages
Size: MD5

openssh-3.9p1-11.i586.rpm
189593 d275338c45f3e88b3f2c4724bb6b3231
openssh-askpass-3.9p1-11.i586.rpm
36839 aa85586a80b92a0ff5857c6547000797
openssh-clients-3.9p1-11.i586.rpm
215596 bdde972adeb885d1f3e4d7a5926d4cf8
openssh-server-3.9p1-11.i586.rpm
217661 64ba51072c34ccbc482d24963a7c1e2d

<Turbolinux FUJI>

Source Packages
Size: MD5

openssh-4.1p1-7.src.rpm
954390 9b89ef9a0302252eaa402d387d870909

Binary Packages
Size: MD5

openssh-4.1p1-7.i686.rpm
235391 8766f33e5979b11304ef52cfa97d9399
openssh-askpass-4.1p1-7.i686.rpm
37828 50a149c08d9b9eebacf700aefd884df3
openssh-clients-4.1p1-7.i686.rpm
254143 c5977fdef6d5fabf18f6258bec3a044e
openssh-server-4.1p1-7.i686.rpm
256675 de0606502b90e6b8b34c0a0b84db70ea

<Turbolinux 10 Server x64 Edition>

Source Packages
Size: MD5

openssh-3.9p1-11.src.rpm
912775 bfbd5e52ccd6f277e2357018574afab4

Binary Packages
Size: MD5

openssh-3.9p1-11.x86_64.rpm
203158 836474590aaf90c2fd71a59057c23f91
openssh-askpass-3.9p1-11.x86_64.rpm
38759 ea9a4be7fa0897e11f462b29fc9e9ba8
openssh-clients-3.9p1-11.x86_64.rpm
237512 470fa1d23046888b4b9a4b75d45f9c7d
openssh-server-3.9p1-11.x86_64.rpm
246205 3dc32e46f727f979874df468477bef7b

<Turbolinux Appliance Server 1.0 Hosting Edition>

Source Packages
Size: MD5

openssh-3.7.1p2-12.src.rpm
852697 f935bc8af0596a399dbd1a81b9004c97

Binary Packages
Size: MD5

openssh-3.7.1p2-12.i586.rpm
195368 12d7ca23f5b44ed1b0e543c9e80f9080
openssh-askpass-3.7.1p2-12.i586.rpm
34449 4ac6c92397b17f0c8d5373333f4a6418
openssh-clients-3.7.1p2-12.i586.rpm
216920 213fe392ae8da64a87abcd70b10d3ba7
openssh-server-3.7.1p2-12.i586.rpm
225725 f3976e3f4ab8ddc0db7c5c4b4f42b3c1

<Turbolinux Appliance Server 1.0 Workgroup Edition>

Source Packages
Size: MD5

openssh-3.7.1p2-12.src.rpm
852697 172f9af1e9ca9e719b163983217a1392

Binary Packages
Size: MD5

openssh-3.7.1p2-12.i586.rpm
195585 8bf0e54d89219c28012d67709a407589
openssh-askpass-3.7.1p2-12.i586.rpm
34620 c2b1b3b53dd177e06e560709d85ff316
openssh-clients-3.7.1p2-12.i586.rpm
217116 89d75fb9b71829e0b1c843e30c372368
openssh-server-3.7.1p2-12.i586.rpm
225765 0ceaa7a33eed3e47da89a17247350d0e

<Turbolinux 10 Server>

Source Packages
Size: MD5

openssh-3.9p1-11.src.rpm
912775 899a450aef79c7c4351a14ee7136a716

Binary Packages
Size: MD5

openssh-3.9p1-11.i586.rpm
189593 d275338c45f3e88b3f2c4724bb6b3231
openssh-askpass-3.9p1-11.i586.rpm
36839 aa85586a80b92a0ff5857c6547000797
openssh-clients-3.9p1-11.i586.rpm
215596 bdde972adeb885d1f3e4d7a5926d4cf8
openssh-server-3.9p1-11.i586.rpm
217661 64ba51072c34ccbc482d24963a7c1e2d

<Turbolinux Multimedia, Turbolinux Personal>

Source Packages
Size: MD5

openssh-3.8p1-12.src.rpm
883428 8e72662fce91ebf1bde3900dfe2b8e11

Binary Packages
Size: MD5

openssh-3.8p1-12.i586.rpm
193169 8e541aa44cbfa3e392a62108f29f9dfa
openssh-askpass-3.8p1-12.i586.rpm
36820 2694941633aacdbc017c0358ce4f4b37
openssh-clients-3.8p1-12.i586.rpm
212001 39cce0fd1de5aedf609250cf07efdb71
openssh-server-3.8p1-12.i586.rpm
214623 c5228f93034bcec290404a70414f11d6


References:

CVE
[CVE-2008-1483]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483

--------------------------------------------------------------------------
Revision History
16 Apr 2008 Initial release
--------------------------------------------------------------------------

Copyright(C) 2008 Turbolinux, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)

iEYEARECAAYFAkgF7LcACgkQK0LzjOqIJMzsFACdF4e8tAS8AxlIwFC0jCTnyaPG
O54AnAuIR4mYDzlrJv5eIz2xOn2NT8N1
=OZ/p
-----END PGP SIGNATURE-----
Pro-Linux
Gewinnspiel
Neue Nachrichten
Werbung