Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: Apps N-Z :: bt1205.txt

openssh remote root

Hash: SHA1


OpenPKG Security Advisory                            The OpenPKG Project                   
OpenPKG-SA-2003.042                                          24-Sep-2003

Package:             openssh
Vulnerability:       remote root exploit
OpenPKG Specific:    no

Affected Releases:   Affected Packages:          Corrected Packages:
OpenPKG CURRENT      <= openssh-3.7.1p1-20030917 >= openssh-3.7.1p2-20030923
OpenPKG 1.3          none                        N.A.
OpenPKG 1.2          none                        N.A.

Dependent Packages:  none

  According to a OpenSSH Security Advisory [0], versions 3.7p1 and
  3.7.1p1 of OpenSSH [1] contain multiple vulnerabilities in its
  Pluggable Authentication Modules (PAM) related code. At least one
  of these bugs is remotely exploitable if Privilege Separation is
  disabled and PAM support is enabled. Older versions of OpenSSH are not
  vulnerable. OpenPKG installations are only affected if the package was
  built with option "with_pam" set to "yes" -- which is not the default.

  The Common Vulnerabilities and Exposures (CVE) project assigned
  the id CAN-2003-0786 [2] to the problem where SSH1 PAM challenge
  response authentication ignored the result of the authentication with
  Privilege Separation off. The Common Vulnerabilities and Exposures
  (CVE) project assigned the id CAN-2003-0787 [3] to the problem where
  the PAM conversation function trashed the stack.

  Please check whether you are affected by running "<prefix>/bin/rpm -q
  openssh". If you have the "openssh" package installed and its version
  is affected (see above), we recommend that you immediately upgrade it
  (see Solution). [4][5]

  Select the updated source RPM appropriate for OpenPKG CURRENT [6]
  (or any later version), fetch it from the OpenPKG FTP service [7]
  or a mirror location, build a corresponding binary RPM from it [4]
  and update your OpenPKG installation by applying the binary RPM [5].
  Perform the following operations to permanently fix the security

  $ ftp
  ftp> bin
  ftp> cd current/SRC
  ftp> get openssh-3.7.1p2-20030923.src.rpm
  ftp> bye
  $ <prefix>/bin/rpm --rebuild openssh-3.7.1p2-20030923.src.rpm
  $ su -
  # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/openssh-3.7.1p2-20030923.*.rpm


For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from and
hkp:// Follow the instructions on
for details on how to verify the integrity of this advisory.

Comment: OpenPKG <>


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH