Yellow Dog Linux Security Announcement -------------------------------------- Package: openssh Issue Date: Sep 17,2003 Priority: high Advisory ID: YDU-20030917-1 1. Topic: Updated openssh packages are available. 2. Problem: "Updated packages are now available to fix additional buffer manipulation problems which were fixed in OpenSSH 3.7.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0695 to these additional issues. We have also included fixes from Solar Designer for some additional memory bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0682 to these issues. OpenSSH is a suite of network connectivity tools that can be used to establish encrypted connections between systems on a network and can provide interactive login sessions and port forwarding, among other functions. The OpenSSH team has announced a bug which affects the OpenSSH buffer handling code. This bug has the potential of being remotely exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0693 to this issue. All users of OpenSSH should immediately apply this update which contains a backported fix for this issue." (from Red Hat Advisory) 3. Solution: a) Updating via yum... We suggest that you use the yum program to keep your system up-to-date. The following command(s) will retrieve and install the fixed version of this update onto your system: yum update xpdf b) Updating manually... Download the updates below and then run the following rpm command. (Please use a mirror site) rpm -Fvh [filenames] ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-3.0/ ppc/openssh-3.5p1-11.ppc.rpm ppc/openssh-askpass-3.5p1-11.ppc.rpm ppc/openssh-askpass-gnome-3.5p1-11.ppc.rpm ppc/openssh-clients-3.5p1-11.ppc.rpm ppc/openssh-server-3.5p1-11.ppc.rpm 4. Verification MD5 checksum Package -------------------------------- ---------------------------- 7840ab7a3823b224e7758f8436271d45 SRPMS/openssh-3.5p1-11.src.rpm 69b608fa15c4f1dc5baeaf37f8aa336f ppc/openssh-3.5p1-11.ppc.rpm 1ebda5bff78251003cbc75edd179b51c ppc/openssh-askpass-3.5p1-11.ppc.rpm 59a5d650e06bb531774cd1f86ac2f978 ppc/openssh-askpass-gnome-3.5p1-11.ppc.rpm cbaf8bdb55212bbc38623b29f68da4da ppc/openssh-clients-3.5p1-11.ppc.rpm bdbee796e35f01829f69b70c483bff79 ppc/openssh-server-3.5p1-11.ppc.rpm If you wish to verify that each package has not been corrupted or tampered with, examine the md5sum with the following command: md5sum 5. Misc. Terra Soft has setup a moderated mailing list where these security, bugfix, and package enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more information. For information regarding the usage of yum, see: http://www.yellowdoglinux.com/support/solutions/ydl_general/yum.shtml