[17176] in bugtraq
Re: MDKSA-2000:057 - openssh update
daemon@ATHENA.MIT.EDU (Markus Friedl)
Thu Oct 12 14:25:26 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20001012155841.A31538@folly>
Date: Thu, 12 Oct 2000 15:58:41 +0200
Reply-To: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE>
From: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE>
X-To: Linux Mandrake Security Announcements
<security-announce@linux-mandrake.com>,
Linux Mandrake Security <mdk-security@freezer-burn.org>,
Linux Security List <linuxlist@securityportal.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20001010115116.A25696@mandrakesoft.com>; from
security@LINUX-MANDRAKE.COM on Tue, Oct 10,
2000 at 11:51:16AM -0600
hello,
this makes no sense at all. the problem is about 'defects' in scp/rcp,
and has nothing to do with /usr/bin/ssh having sbits turned off or not.
this advisory is wrong, and missleading at its best.
-markus (@openssh.com)
On Tue, Oct 10, 2000 at 11:51:16AM -0600, Linux Mandrake Security Team wrote:
> ________________________________________________________________________
>
> Package name: openssh
> Date: October 10th, 2000
> Advisory ID: MDKSA-2000:057
>
> Affected versions: 7.0, 7.1
> ________________________________________________________________________
>
> Problem Description:
>
> A problem exists with openssh's scp program. If a user uses scp to
> move files from a server that has been compromised, the operation can
> be used to replace arbitrary files on the user's system. The problem
> is made more serious by setuid versions of ssh which allow overwriting
> any file on the local user's system. If the ssh program is not setuid
> or is setuid to someone other than root, the intrustion is limited to
> files with write access granted to the owner of the ssh program. In
> either case, files can be overwritten with code allowing others access
> to the system unexpectedly. While no fix has been provided for openssh
> as of yet, the versions of openssh available for Linux-Mandrake 7.0 and
> 7.1 were setuid root. This update removes the setuid bit from the ssh
> program and limits the exploitability of scp somewhat. All users of
> Linux-Mandrake are encouraged to upgrade to these latest openssh
> builds. Linux-Mandrake 7.0 users will also need to upgrade openssl in
> order to use the 7.0 update of openssh.
> ________________________________________________________________________
