feel free to announce it: --------------------------------------------------------------------------- Debian Security Advisory DSA XXX-X security@debian.org http://www.debian.org/security/ Bernd Eckenfels November, 12th, 2001 --------------------------------------------------------------------------- Packages : ssh-nonfree, ssh-socks Vulnerability : Buffer Overflow Problem-Type : remote root exploit Debian-specific: no A remote exploit of the original ssh daemon is widely known. The exploit was announced on Bugtraq, and we have reports of actuelly hacked hosts. The Problem, as reported in Bug Report #85725 is present in deattack.c and rsaglue.c. We strongly recommend that you upgrade your ssh-nonfree packages immediately. This Problem is fixed in 1.2.27-6 (testing, unstable) and 1.2.26-6.2 (potato). NOTE: as you can see from the incomplete list of architectures, the Debian Project is not spending much time on maintaining non-free packages. Therefore it is highly recommended, that you switch to the free ssh implementation. You can find OpenSSH in the Debian GNU/Linux package called "ssh". wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages Note: due to the non-free nature of this packages, we do not support auto-upgrade from security.debian.org. Debian GNU/Linux 2.2 alias potato --------------------------------- Source archives: http://non-us.debian.org/debian-non-US/pool/non-US/non-free/s/ssh-nonfree/ssh-nonfree_1.2.27-6.2.dsc MD5 checksum: 8ba9a4c2d4059b973e6c46bb6ab88958 http://non-us.debian.org/debian-non-US/pool/non-US/non-free/s/ssh-nonfree/ssh-nonfree_1.2.27-6.2.diff.gz MD5 checksum: 92161c3468189f17eb17421fd2e91f1e Intel ia32 architecture: http://non-us.debian.org/debian-non-US/pool/non-US/non-free/s/ssh-nonfree/ssh-nonfree_1.2.27-6.2_i386.deb MD5 checkum: e4f6db9acb54b9e3dc75315a66207840 http://non-us.debian.org/debian-non-US/pool/non-US/non-free/s/ssh-nonfree/ssh-socks_1.2.27-6.2_i386.deb MD5 checksum: 0eab3e6250c3aa4130ec5a2f719531e6 Or using the following sources.list line for apt-get: deb http://non-us.debian.org/debian-non-US potato-proposed-updates/non-US main non-free -- (OO) -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE (O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
Attachment:
pgpnsW_nDdwmx.pgp
Description: PGP signature