Fedora Legacy Test Update Notification: openssh
Marc Deslauriers
marcdeslauriers at videotron.ca
Sat Feb 11 16:43:41 UTC 2006
---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-168935
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168935
2006-02-10
---------------------------------------------------------------------
Name : openssh
Versions : rh73: openssh-3.1p1-14.3.legacy
Versions : rh9: openssh-3.5p1-11.4.legacy
Versions : fc1: openssh-3.6.1p2-19.4.legacy
Versions : fc2: openssh-3.6.1p2-34.4.legacy
Versions : fc3: openssh-3.9p1-8.0.4.legacy
Summary : The OpenSSH implementation of SSH protocol.
Description :
OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH
replaces rlogin and rsh, to provide secure encrypted communications
between two untrusted hosts over an insecure network. X11 connections
and arbitrary TCP/IP ports can also be forwarded over the secure
channel. Public key authentication may be used for "passwordless"
access to servers.
---------------------------------------------------------------------
Update Information:
Updated openssh packages that fix security issues are now available.
OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH
replaces rlogin and rsh, and provides secure encrypted communications
between two untrusted hosts over an insecure network. X11 connections
and arbitrary TCP/IP ports can also be forwarded over a secure channel.
Public key authentication can be used for "passwordless" access to
servers.
A bug was found in the way the OpenSSH server handled the MaxStartups
and LoginGraceTime configuration variables. A malicious user could
connect to the SSH daemon in such a way that it would prevent additional
logins from occuring until the malicious connections are closed. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2004-2069 to this issue.
The scp command was found to expose filenames twice to shell expansion.
A malicious user could execute arbitrary commands by using specially
crafted filenames containing shell metacharacters or spaces. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2006-0225 to this issue.
Users of openssh should upgrade to these updated packages, which contain
backported patches to resolve these issues.
---------------------------------------------------------------------
Changelogs
rh73:
* Mon Jan 23 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
3.1p1-14.3.legacy
- use fork+exec instead of system in scp - CVE-2006-0225
rh9:
* Mon Jan 23 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
3.5p1-11.4.legacy
- use fork+exec instead of system in scp - CVE-2006-0225
* Sun Jan 22 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
3.5p1-11.3.legacy
- CAN-2004-2069 - prevent DoS on openssh server
fc1:
* Mon Jan 23 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
3.6.1p2-19.4.legacy
- use fork+exec instead of system in scp - CVE-2006-0225
* Sun Jan 22 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
3.6.1p1-19.3.legacy
- CAN-2004-2069 - prevent DoS on openssh server
fc2:
* Mon Jan 23 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
3.6.1p2-34.4.legacy
- use fork+exec instead of system in scp - CVE-2006-0225
* Sun Jan 22 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
3.6.1p2-34.3.legacy
- CAN-2004-2069 - prevent DoS on openssh server
fc3:
* Mon Jan 23 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
3.9p1-8.0.4.legacy
- use fork+exec instead of system in scp - CVE-2006-0225
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedoralegacy.org/
(sha1sums)
rh73:
5c732eac2396d1dbc767c6706b936177b04e3ba9
redhat/7.3/updates-testing/i386/openssh-3.1p1-14.3.legacy.i386.rpm
ac522209cbabd3638e8ca2b08bdf5453c1d9a8d4
redhat/7.3/updates-testing/i386/openssh-askpass-3.1p1-14.3.legacy.i386.rpm
a79e45b1fd78f517a2dfb846e1814aeff35ab86d
redhat/7.3/updates-testing/i386/openssh-askpass-gnome-3.1p1-14.3.legacy.i386.rpm
daa5d5518e33835ef47f41f3bb379d9659e2bc3f
redhat/7.3/updates-testing/i386/openssh-clients-3.1p1-14.3.legacy.i386.rpm
28d3e3a66e6c786db875c5ea8d629b6abcc7fe5b
redhat/7.3/updates-testing/i386/openssh-server-3.1p1-14.3.legacy.i386.rpm
d838db35baa90040dec9df7459af4682f8976b7a
redhat/7.3/updates-testing/SRPMS/openssh-3.1p1-14.3.legacy.src.rpm
rh9:
2e4da4da715512dccb420fc67f3bb24dae2d9a40
redhat/9/updates-testing/i386/openssh-3.5p1-11.4.legacy.i386.rpm
af36bd2aa23d16986072cf15c6906add540f8b8a
redhat/9/updates-testing/i386/openssh-askpass-3.5p1-11.4.legacy.i386.rpm
0cc2cf34bde4b876944c8f19c1cd58d9f4503757
redhat/9/updates-testing/i386/openssh-askpass-gnome-3.5p1-11.4.legacy.i386.rpm
f0e967606a821ec50f6d0af708935a9f04b52d11
redhat/9/updates-testing/i386/openssh-clients-3.5p1-11.4.legacy.i386.rpm
d49d40f814c95319dff11a49f8bb66dcdd3f808c
redhat/9/updates-testing/i386/openssh-server-3.5p1-11.4.legacy.i386.rpm
38544ce3e39dbebcb15ce213f4aff9bf3edb93a7
redhat/9/updates-testing/SRPMS/openssh-3.5p1-11.4.legacy.src.rpm
fc1:
c962909e215becff41ab14353a0b1ef3f5a499fd
fedora/1/updates-testing/i386/openssh-3.6.1p2-19.4.legacy.i386.rpm
61ca655031b498ba8c66a97f0792c4f9dbd0f795
fedora/1/updates-testing/i386/openssh-askpass-3.6.1p2-19.4.legacy.i386.rpm
0201fe8254733f85cde19e17911015c38ae6f8fa
fedora/1/updates-testing/i386/openssh-askpass-gnome-3.6.1p2-19.4.legacy.i386.rpm
3818241e59db35fe61773f7e59d9d83fafd4b16a
fedora/1/updates-testing/i386/openssh-clients-3.6.1p2-19.4.legacy.i386.rpm
202bec4605eaf6054433a170a6432a3d449862cb
fedora/1/updates-testing/i386/openssh-server-3.6.1p2-19.4.legacy.i386.rpm
e5b385dbba09ec63225c2eb25e22827d0e6fd789
fedora/1/updates-testing/SRPMS/openssh-3.6.1p2-19.4.legacy.src.rpm
fc2:
ca85182633a97ce1bb8c3bcb683d44242881703f
fedora/2/updates-testing/i386/openssh-3.6.1p2-34.4.legacy.i386.rpm
f49c8368fe790df101b671a368f0ff47fdc0fad3
fedora/2/updates-testing/i386/openssh-askpass-3.6.1p2-34.4.legacy.i386.rpm
281fe61d517ebff0a297cd4c6342c398debcd33f
fedora/2/updates-testing/i386/openssh-askpass-gnome-3.6.1p2-34.4.legacy.i386.rpm
d25c9ca4c55732cc3368587cfd6b4b7629c52ee8
fedora/2/updates-testing/i386/openssh-clients-3.6.1p2-34.4.legacy.i386.rpm
ec570330a25c600803dd2f88ff140726a66d3c7e
fedora/2/updates-testing/i386/openssh-server-3.6.1p2-34.4.legacy.i386.rpm
4bf28b7a7d7a9fad922b6a1e96a0433320cab26e
fedora/2/updates-testing/SRPMS/openssh-3.6.1p2-34.4.legacy.src.rpm
fc3:
75001fc461867ff3b5f608423de99b5c0d9705e6
fedora/3/updates-testing/i386/openssh-3.9p1-8.0.4.legacy.i386.rpm
e4a4bfc7866e2ace0c9b0a0a3b4598e9594fd6ae
fedora/3/updates-testing/i386/openssh-askpass-3.9p1-8.0.4.legacy.i386.rpm
4df1fe9ad8bfcdee35dcddbc9fb124e513718275
fedora/3/updates-testing/i386/openssh-askpass-gnome-3.9p1-8.0.4.legacy.i386.rpm
f53b372fcab1724ac8a073aebc9b04718439c894
fedora/3/updates-testing/i386/openssh-clients-3.9p1-8.0.4.legacy.i386.rpm
8b800276ec20d03452cf1e39883315baa9c7a7df
fedora/3/updates-testing/i386/openssh-server-3.9p1-8.0.4.legacy.i386.rpm
61a70c9f0cf6c152fb7f48c5857b5e002dc0527a
fedora/3/updates-testing/x86_64/openssh-3.9p1-8.0.4.legacy.x86_64.rpm
b8e38615db4f431c1e87204a0ecaefbabde2479b
fedora/3/updates-testing/x86_64/openssh-askpass-3.9p1-8.0.4.legacy.x86_64.rpm
5cd606345fb8b3ba1f7c1d6f005d18c50d0886bd
fedora/3/updates-testing/x86_64/openssh-askpass-gnome-3.9p1-8.0.4.legacy.x86_64.rpm
db5f2a76871dc0e6987702a492ad84252a5211c4
fedora/3/updates-testing/x86_64/openssh-clients-3.9p1-8.0.4.legacy.x86_64.rpm
18f578efebdc634ee6ab363064f9ac8d81fa5cf0
fedora/3/updates-testing/x86_64/openssh-server-3.9p1-8.0.4.legacy.x86_64.rpm
8dc6ca866a0a5d0e2c01f4b898bbaa798399fa40
fedora/3/updates-testing/SRPMS/openssh-3.9p1-8.0.4.legacy.src.rpm
---------------------------------------------------------------------
Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20060211/c1968726/attachment.sig>
More information about the fedora-legacy-list
mailing list