diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-02:13.openssh.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-SA-02:13.openssh.asc | 213 |
1 files changed, 0 insertions, 213 deletions
diff --git a/share/security/advisories/FreeBSD-SA-02:13.openssh.asc b/share/security/advisories/FreeBSD-SA-02:13.openssh.asc deleted file mode 100644 index f0d44b375d..0000000000 --- a/share/security/advisories/FreeBSD-SA-02:13.openssh.asc +++ /dev/null @@ -1,213 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- - -============================================================================= -FreeBSD-SA-02:13 Security Advisory - FreeBSD, Inc. - -Topic: OpenSSH contains exploitable off-by-one bug - -Category: core, ports -Module: openssh, ports_openssh, openssh-portable -Announced: 2002-03-07 -Credits: Joost Pol <joost@pine.nl> -Affects: FreeBSD 4.4-RELEASE, 4.5-RELEASE - FreeBSD 4.5-STABLE prior to the correction date - openssh port prior to openssh-3.0.2_1 - openssh-portable port prior to openssh-portable-3.0.2p1_1 -Corrected: 2002-03-06 13:57:54 UTC (RELENG_4) - 2002-03-07 14:40:56 UTC (RELENG_4_5) - 2002-03-07 14:40:07 UTC (RELENG_4_4) - 2002-03-06 13:53:38 UTC (ports/security/openssh) - 2002-03-06 13:53:39 UTC (ports/security/openssh-portable) -CVE: CAN-2002-0083 -FreeBSD only: NO - -I. Background - -OpenSSH is a free version of the SSH protocol suite of network -connectivity tools. OpenSSH encrypts all traffic (including -passwords) to effectively eliminate eavesdropping, connection -hijacking, and other network-level attacks. Additionally, OpenSSH -provides a myriad of secure tunneling capabilities, as well as a -variety of authentication methods. `ssh' is the client application, -while `sshd' is the server. - -II. Problem Description - -OpenSSH multiplexes `channels' over a single TCP connection in order -to implement X11, TCP, and agent forwarding. An off-by-one error in -the code which manages channels can result in a reference to memory -beyond that allocated for channels. A malicious client or server may -be able to influence the contents of the memory so referenced. - -III. Impact - -An authorized remote user (i.e. a user that can successfully -authenticate on the target system) may be able to cause sshd to -execute arbitrary code with superuser privileges. - -A malicious server may be able to cause a connecting ssh client to -execute arbitrary code with the privileges of the client user. - -IV. Workaround - -Do one of the following: - -1) The FreeBSD malloc implementation can be configured to overwrite - or `junk' memory that is returned to the malloc arena. Due to the - details of exploiting this bug, configuring malloc to junk memory - will thwart the attack. - - To configure a FreeBSD system to junk memory, execute the following - commands as root: - - # ln -fs J /etc/malloc.conf - - Note that this option will degrade system performance. See the - malloc(3) man page for full details on malloc options. - -2) Disable the base system sshd by executing the following command as - root: - - # kill `cat /var/run/sshd.pid` - - Be sure that sshd is not restarted when the system is restarted - by adding the following line to the end of /etc/rc.conf: - - sshd_enable="NO" - - AND - - Deinstall the openssh or openssh-portable ports if you have one of - them installed. - -V. Solution - -Do one of the following: - -[For OpenSSH included in the base system] - -1) Upgrade the vulnerable system to 4.4-RELEASEp9, 4.5-RELEASEp2, - or 4.5-STABLE after the correction date and rebuild. - -2) FreeBSD 4.x systems prior to the correction date: - -The following patch has been verified to apply to FreeBSD 4.4-RELEASE, -4.5-RELEASE, and 4.5-STABLE dated prior to the correction date. It -may or may not apply to older, unsupported versions of FreeBSD. - -Download the patch and the detached PGP signature from the following -locations, and verify the signature using your PGP utility. - -# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:13/openssh.patch -# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:13/openssh.patch.asc - -Execute the following commands as root: - -# cd /usr/src -# patch < /path/to/sshd.patch -# cd /usr/src/secure/lib/libssh -# make depend && make all -# cd /usr/src/secure/usr.sbin/sshd -# make depend && make all install -# cd /usr/src/secure/usr.bin/ssh -# make depend && make all install - -[For the OpenSSH ports] - -One of the following: - -1) Upgrade your entire ports collection and rebuild the OpenSSH port. - -2) Deinstall the old package and install a new package obtained from -the following directory: - -[i386] -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/ - -[other platforms] -Packages are not automatically generated for other platforms at this -time due to lack of build resources. - -3) Download a new port skeleton for the openssh or openssh-portable -port from: - -http://www.freebsd.org/ports/ - -and use it to rebuild the port. - -4) Use the portcheckout utility to automate option (3) above. The -portcheckout port is available in /usr/ports/devel/portcheckout or the -package can be obtained from: - -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz - -VI. Correction details - -The following list contains the revision numbers of each file that was -corrected in the FreeBSD ports collection. - -Path Revision - Branch -- ------------------------------------------------------------------------- -[Base system] -src/crypto/openssh/channels.c - HEAD 1.8 - RELENG_4 1.1.1.1.2.6 - RELENG_4_5 1.1.1.1.2.5.2.1 - RELENG_4_4 1.1.1.1.2.4.4.1 -src/crypto/openssh/version.h - HEAD 1.10 - RELENG_4 1.1.1.1.2.8 - RELENG_4_5 1.1.1.1.2.7.2.1 - RELENG_4_4 1.1.1.1.2.5.2.2 -src/sys/conf/newvers.sh - RELENG_4_5 1.44.2.20.2.3 - RELENG_4_4 1.44.2.17.2.8 - -[Ports] -ports/security/openssh/Makefile 1.81 -ports/security/openssh/files/patch-channels.c 1.1 -ports/security/openssh-portable/Makefile 1.21 -ports/security/openssh-portable/files/patch-channels.c 1.1 -- ------------------------------------------------------------------------- - -Branch Version string -- ------------------------------------------------------------------------- -HEAD OpenSSH_2.9 FreeBSD localisations 20020307 -RELENG_4 OpenSSH_2.9 FreeBSD localisations 20020307 -RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20020307 -RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20020307 -- ------------------------------------------------------------------------- - -To view the version string of the OpenSSH server, execute the -following command: - - % /usr/sbin/sshd -\? - -The version string is also displayed when a client connects to the -server. - -To view the version string of the OpenSSH client, execute the -following command: - - % /usr/bin/ssh -V - -VII. References - -<URL:http://www.pine.nl/advisories/pine-cert-20020301.txt> - -The Common Vulnerabilities and Exposures project (cve.mitre.org) has -assigned the name CAN-2002-0083 to this issue. - <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0083> ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.0.6 (FreeBSD) -Comment: For info see http://www.gnupg.org - -iQCVAwUBPId+x1UuHi5z0oilAQGvpAP+NDgcpdZAo8aB2ptAbbS7h3MzJULCnPlN -BqnQ+AylR8HTcPt7XduF6Sh8KSpu75Y5uCJcrNvAoF2jmnH3DFa79GY4hEj7VvCl -DiAzN3bwcTFBAPWSNaCXK6odyqCjumMOL3drgtibuMHZuQSKn5ZOvNKquVSXuaY+ -86MXQwGukUU= -=csOr ------END PGP SIGNATURE----- |