Fedora Legacy Test Update Notification: openssh

Marc Deslauriers marcdeslauriers at videotron.ca
Fri Jun 24 18:48:10 UTC 2005 

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2005-123014
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123014
2005-06-24
---------------------------------------------------------------------

Name        : openssh
Versions    : rh73: openssh-3.1p1-14.2.legacy
Versions    : rh9: openssh-3.5p1-11.2.legacy
Versions    : fc1: openssh-3.6.1p2-19.2.legacy
Versions    : fc2: openssh-3.6.1p2-34.2.legacy
Summary     : The OpenSSH implementation of SSH protocol.
Description :
OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH
replaces rlogin and rsh, to provide secure encrypted communications
between two untrusted hosts over an insecure network. X11 connections
and arbitrary TCP/IP ports can also be forwarded over the secure
channel. Public key authentication may be used for "passwordless"
access to servers.

---------------------------------------------------------------------
Update Information:

Updated openssh packages that fix a potential security vulnerability are
now available.

OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH
replaces rlogin and rsh, and provides secure encrypted communications
between two untrusted hosts over an insecure network. X11 connections
and arbitrary TCP/IP ports can also be forwarded over a secure channel.
Public key authentication can be used for "passwordless" access to
servers.

The scp protocol allows a server to instruct a client to write to
arbitrary files outside of the current directory. This could potentially
cause a security issue if a user uses scp to copy files from a malicious
server. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0175 to this issue.

These updated packages also correct the following bug: On systems where
direct ssh access for the root user was disabled by configuration
(setting "PermitRootLogin no"), attempts to guess the root password
could be judged as sucessful or unsucessful by observing a delay.

Users of openssh should upgrade to these updated packages, which contain
backported patches to resolve these issues.

---------------------------------------------------------------------
Changelogs

rh73:
* Thu Jun 23 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
3.1p1-14.2.legacy
- Added missing pam-devel and groff to BuildPrereq

* Fri Jun 10 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
3.1p1-14.1.legacy
- CAN-2004-0175 don't allow scp to overwrite files in other directories
- don't leak whether root password is right if root isn't allowed

rh9:
* Fri Jun 24 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
3.5p1-11.2.legacy
- Added missing pam-devel, groff and gtk2-devel BuildPrereq

* Fri Jun 10 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
3.5p1-11.1.legacy
- CAN-2004-0175 don't allow scp to overwrite files in other directories
- don't leak whether root password is right if root isn't allowed

fc1:
* Fri Jun 24 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
3.6.1p1-19.2.legacy
- Added missing pam-devel and groff to BuildPrereq

* Fri Jun 10 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
3.6.1p1-19.1.legacy
- CAN-2004-0175 don't allow scp to overwrite files in other directories
- don't leak whether root password is right if root isn't allowed

fc2:
* Fri Jun 24 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
3.6.1p2-34.2.legacy
- Added missing pam-devel and groff BuildPrereq

* Fri Jun 10 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
3.6.1p2-34.1.legacy
- CAN-2004-0175 don't allow scp to overwrite files in other directories
- don't leak whether root password is right if root isn't allowed

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
8bd4e4daf209249160c1d7f170c63b0d0f43bb54
redhat/7.3/updates-testing/i386/openssh-3.1p1-14.2.legacy.i386.rpm
d24556ae238b448fe37d0ce1afa032a743b7339b
redhat/7.3/updates-testing/i386/openssh-askpass-3.1p1-14.2.legacy.i386.rpm
d7034dde021d188bbfff57b9287ea0f8dea162b0
redhat/7.3/updates-testing/i386/openssh-askpass-gnome-3.1p1-14.2.legacy.i386.rpm
b24fa1844c81632719b0ee10c5aba27e72b1ef11
redhat/7.3/updates-testing/i386/openssh-clients-3.1p1-14.2.legacy.i386.rpm
7567b5a4c4f49ee9d247b30ae35741d3e0885f59
redhat/7.3/updates-testing/i386/openssh-server-3.1p1-14.2.legacy.i386.rpm
93591a2b6fd1d4be2796be09e108ff301bab9baf
redhat/7.3/updates-testing/SRPMS/openssh-3.1p1-14.2.legacy.src.rpm

rh9:
35820cc8261fffa5e1bbce4b22abb6075966418a
redhat/9/updates-testing/i386/openssh-3.5p1-11.2.legacy.i386.rpm
b006d5c937b482b30835d4a5283683f039d2c963
redhat/9/updates-testing/i386/openssh-askpass-3.5p1-11.2.legacy.i386.rpm
75f2303826649634880245fa13935c74bf76b8df
redhat/9/updates-testing/i386/openssh-askpass-gnome-3.5p1-11.2.legacy.i386.rpm
598d2940ce65b82de88a7e563b0450752d679d50
redhat/9/updates-testing/i386/openssh-clients-3.5p1-11.2.legacy.i386.rpm
d23f5da5bae703ee28a1de84999ce8fb4945ba20
redhat/9/updates-testing/i386/openssh-server-3.5p1-11.2.legacy.i386.rpm
67ac403b9057d01c5bbfc0ac0d7334955086f080
redhat/9/updates-testing/SRPMS/openssh-3.5p1-11.2.legacy.src.rpm

fc1:
09ba397b8a3cdee453ab44af50470f392b1a1d9a
fedora/1/updates-testing/i386/openssh-3.6.1p2-19.2.legacy.i386.rpm
a59fbcbe89778e212b4ccaa397f298ad35291020
fedora/1/updates-testing/i386/openssh-askpass-3.6.1p2-19.2.legacy.i386.rpm
d026e18b3d16d4b05d204de3aa1de9cf5e9ae756
fedora/1/updates-testing/i386/openssh-askpass-gnome-3.6.1p2-19.2.legacy.i386.rpm
70ebb446b1cc50bb2e242af4ec04cee53aa71713
fedora/1/updates-testing/i386/openssh-clients-3.6.1p2-19.2.legacy.i386.rpm
1af3ab8e0b843f6bf72c9061f3399ce09f674c98
fedora/1/updates-testing/i386/openssh-server-3.6.1p2-19.2.legacy.i386.rpm
cee2cbca4b9fde1534bf76c9cb46d1ddd7a30fc7
fedora/1/updates-testing/SRPMS/openssh-3.6.1p2-19.2.legacy.src.rpm

fc2:
42a086b1508853dd44be7d88e562613764c359cb
fedora/2/updates-testing/i386/openssh-3.6.1p2-34.2.legacy.i386.rpm
f39c8fc529c50d0a67eedb89abb04015970a5ec2
fedora/2/updates-testing/i386/openssh-askpass-3.6.1p2-34.2.legacy.i386.rpm
30c087e45ae7a3c6abcff83d8608d1c8d881458c
fedora/2/updates-testing/i386/openssh-askpass-gnome-3.6.1p2-34.2.legacy.i386.rpm
53851fd533168707f6f250d66506dc51769c9348
fedora/2/updates-testing/i386/openssh-clients-3.6.1p2-34.2.legacy.i386.rpm
833ce8cf4f100a2b5b48aa77cb9d67fecba93366
fedora/2/updates-testing/i386/openssh-server-3.6.1p2-34.2.legacy.i386.rpm
c7584c616f01c21264e912e77892ebc8bbd8be29
fedora/2/updates-testing/SRPMS/openssh-3.6.1p2-34.2.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20050624/5594717f/attachment.sig>

More information about the fedora-legacy-list mailing list