RE: [SECURITY] [DSA 1576-1] New openssh packages fix predictable randomness
Hola:
Por si les interesa, hay una alerta de seguridad en debian.
Saludos
Leonardo
----------------------------------------
> From: fw@deneb.enyo.de
> To: debian-security-announce@lists.debian.org
> Date: Wed, 14 May 2008 11:24:56 +0200
> Subject: [SECURITY] [DSA 1576-1] New openssh packages fix predictable randomness
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - ------------------------------------------------------------------------
> Debian Security Advisory DSA-1576-1 security@debian.org
> http://www.debian.org/security/ Florian Weimer
> May 14, 2008 http://www.debian.org/security/faq
> - ------------------------------------------------------------------------
>
> Package : openssh
> Vulnerability : predictable random number generator
> Problem type : remote
> Debian-specific: yes
> CVE Id(s) : CVE-2008-0166
>
> The recently announced vulnerability in Debian's openssl package
> (DSA-1571-1, CVE-2008-0166) indirectly affects OpenSSH. As a result,
> all user and host keys generated using broken versions of the openssl
> package must be considered untrustworthy, even after the openssl update
> has been applied.
>
> 1. Install the security updates
>
> This update contains a dependency on the openssl update and will
> automatically install a corrected version of the libss0.9.8 package,
> and a new package openssh-blacklist.
>
> Once the update is applied, weak user keys will be automatically
> rejected where possible (though they cannot be detected in all
> cases). If you are using such keys for user authentication, they
> will immediately stop working and will need to be replaced (see
> step 3).
>
> OpenSSH host keys can be automatically regenerated when the OpenSSH
> security update is applied. The update will prompt for confirmation
> before taking this step.
>
> 2. Update OpenSSH known_hosts files
>
> The regeneration of host keys will cause a warning to be displayed when
> connecting to the system using SSH until the host key is updated in the
> known_hosts file. The warning will look like this:
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that the RSA host key has just been changed.
>
> In this case, the host key has simply been changed, and you should update
> the relevant known_hosts file as indicated in the error message.
>
> It is recommended that you use a trustworthy channel to exchange the
> server key. It is found in the file /etc/ssh/ssh_host_rsa_key.pub on
> the server; it's fingerprint can be printed using the command:
>
> ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
>
> In addition to user-specific known_hosts files, there may be a
> system-wide known hosts file /etc/ssh/known_hosts. This is file is
> used both by the ssh client and by sshd for the hosts.equiv
> functionality. This file needs to be updated as well.
>
> 3. Check all OpenSSH user keys
>
> The safest course of action is to regenerate all OpenSSH user keys,
> except where it can be established to a high degree of certainty that the
> key was generated on an unaffected system.
>
> Check whether your key is affected by running the ssh-vulnkey tool, included
> in the security update. By default, ssh-vulnkey will check the standard
> location for user keys (~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity),
> your authorized_keys file (~/.ssh/authorized_keys and
> ~/.ssh/authorized_keys2), and the system's host keys
> (/etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key).
>
> To check all your own keys, assuming they are in the standard
> locations (~/.ssh/id_rsa, ~/.ssh/id_dsa, or ~/.ssh/identity):
>
> ssh-vulnkey
>
> To check all keys on your system:
>
> sudo ssh-vulnkey -a
>
> To check a key in a non-standard location:
>
> ssh-vulnkey /path/to/key
>
> If ssh-vulnkey says "Unknown (no blacklist information)", then it has no
> information about whether that key is affected. In this case, you
> can examine the modification time (mtime) of the file using "ls -l".
> Keys generated before September 2006 are not affected. Keep in mind
> that, although unlikely, backup procedures may have changed the file
> date back in time (or the system clock may have been incorrectly
> set).
>
> If in doubt, generate a new key and remove the old one from any
> servers.
>
> 4. Regenerate any affected user keys
>
> OpenSSH keys used for user authentication must be manually regenerated,
> including those which may have since been transferred to a different system
> after being generated.
>
> New keys can be generated using ssh-keygen, e.g.:
>
> $ ssh-keygen
> Generating public/private rsa key pair.
> Enter file in which to save the key (/home/user/.ssh/id_rsa):
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Your identification has been saved in /home/user/.ssh/id_rsa.
> Your public key has been saved in /home/user/.ssh/id_rsa.pub.
> The key fingerprint is:
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 user@host
>
> 5. Update authorized_keys files (if necessary)
>
> Once the user keys have been regenerated, the relevant public keys
> must be propagated to any authorized_keys files (and authorized_keys2
> files, if applicable) on remote systems. Be sure to delete the lines
> containing old keys from those files..
>
>
> In addition to countermeasures to mitigate the randomness vulnerability,
> this OpenSSH update fixes several other vulnerabilities:
>
> CVE-2008-1483:
> Timo Juhani Lindfors discovered that, when using X11 forwarding, the
> SSH client selects an X11 forwarding port without ensuring that it
> can be bound on all address families. If the system is configured
> with IPv6 (even if it does not have working IPv6 connectivity), this
> could allow a local attacker on the remote server to hijack X11
> forwarding.
>
> CVE-2007-4752:
> Jan Pechanec discovered that ssh fails back to creating a trusted X11
> cookie if creating an untrusted cookie fails, potentially exposing
> the local display to a malicious remote server when using X11
> forwarding.
>
> For the stable distribution (etch), these problems have been fixed in
> version 4.3p2-9etch1. Currently, only a subset of all supported
> architectures have been built; further updates will be provided when
> they become available.
>
> For the unstable distribution (sid) and the testing distribution
> (lenny), these problems have been fixed in version 4.7p1-9.
>
> We recommend that you upgrade your openssh packages and take the
> measures indicated above.
>
> Upgrade instructions
> - --------------------
>
> wget url
> will fetch the file for you
> dpkg -i file.deb
> will install the referenced file.
>
> If you are using the apt-get package manager, use the line for
> sources.list as given below:
>
> apt-get update
> will update the internal database
> apt-get upgrade
> will install corrected packages
>
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
>
>
> Debian GNU/Linux 4.0 alias etch
> - -------------------------------
>
> Source archives:
>
> http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2-9etch1.diff.gz
> Size/MD5 checksum: 275168 920f559caa1c8c737b016c08df2bde05
> http://security.debian.org/pool/updates/main/o/openssh-blacklist/openssh-blacklist_0.1.1.tar.gz
> Size/MD5 checksum: 3694141 05eec6b473990bff4fc70921b232794b
> http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2-9etch1.dsc
> Size/MD5 checksum: 1074 89930d72e9aff6b344efd35a130e4faa
> http://security.debian.org/pool/updates/main/o/openssh-blacklist/openssh-blacklist_0.1.1.dsc
> Size/MD5 checksum: 799 aeaa45e0bfbf7f966e3c7fca9181d99d
> http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2.orig.tar.gz
> Size/MD5 checksum: 920186 239fc801443acaffd4c1f111948ee69c
>
> Architecture independent packages:
>
> http://security.debian.org/pool/updates/main/o/openssh-blacklist/openssh-blacklist_0.1.1_all.deb
> Size/MD5 checksum: 2121928 fa1ba22d98f91f18b326ee1bfd31bcbb
> http://security.debian.org/pool/updates/main/o/openssh/ssh_4.3p2-9etch1_all.deb
> Size/MD5 checksum: 1060 44ec3f52add1876d7b2c1bd3fa3cdbfd
> http://security.debian.org/pool/updates/main/o/openssh/ssh-krb5_4.3p2-9etch1_all.deb
> Size/MD5 checksum: 92162 9ae37916a6dc269318aff1215b6638cf
>
> alpha architecture (DEC Alpha)
>
> http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_alpha.udeb
> Size/MD5 checksum: 198496 69fe6fc4002ec592e1756cee28ffd85b
> http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_alpha.deb
> Size/MD5 checksum: 782120 e5746f3c12a52f72b75cffee8e1c3a6f
> http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_alpha.deb
> Size/MD5 checksum: 100402 fda20ac6b68a6882534384e6ce4e6efd
> http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_alpha.udeb
> Size/MD5 checksum: 213724 118390296bbf6d6d208d39a07895852e
> http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_alpha.deb
> Size/MD5 checksum: 266518 be53eb9497ea993e0ae7db6a0a4dcd3a
>
> amd64 architecture (AMD x86_64 (AMD64))
>
> http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_amd64.udeb
> Size/MD5 checksum: 183848 bd6c4123fe0e72f7565e455b25eb037c
> http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_amd64.deb
> Size/MD5 checksum: 244406 f70bf398d91eb4b8fe27cc5b03548b16
> http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_amd64.udeb
> Size/MD5 checksum: 171512 0b8afcf2b96ad97323152342e83dd3bf
> http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_amd64.deb
> Size/MD5 checksum: 709734 556332c58aeee82628d35ebf71d15ac1
> http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_amd64.deb
> Size/MD5 checksum: 99896 14d2f97314e7b4b6cb97540667d7f544
>
> hppa architecture (HP PA RISC)
>
> http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_hppa.udeb
> Size/MD5 checksum: 189608 5267dec18e00f3e88bd53b3adfe23e62
> http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_hppa.deb
> Size/MD5 checksum: 100438 2ebd2edd75c440c062eaafab5a97b177
> http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_hppa.deb
> Size/MD5 checksum: 250556 1ca2aa080853748ab343381d9f9ffc6b
> http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_hppa.udeb
> Size/MD5 checksum: 198424 d99af9d81fe074f9b16928cae835ce56
> http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_hppa.deb
> Size/MD5 checksum: 733664 e6abc3231e7d274a5a73321ea3761974
>
> i386 architecture (Intel ia32)
>
> http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_i386.deb
> Size/MD5 checksum: 660432 16f0807e7871c23af0660e529837cb76
> http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_i386.deb
> Size/MD5 checksum: 224178 aaedc883a11ba7273e5ddeb496a3488a
> http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_i386.deb
> Size/MD5 checksum: 100000 fd41f726ff14b7f8ab0dfc1c6b43be2c
> http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_i386.udeb
> Size/MD5 checksum: 162630 f197dbdfe7a92bd4992d8c77c76b4488
> http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_i386.udeb
> Size/MD5 checksum: 154028 5df04dc7c5474b30e515047740bd0c38
>
> ia64 architecture (Intel ia64)
>
> http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_ia64.udeb
> Size/MD5 checksum: 269868 1646034b7db5a862ea17d0d6928900ff
> http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_ia64.deb
> Size/MD5 checksum: 961594 394027253cbaeba863f07e7fee848dcb
> http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_ia64.deb
> Size/MD5 checksum: 101280 f3e421145857106615ce19cb05508a7a
> http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_ia64.udeb
> Size/MD5 checksum: 251840 24ba6fd53e10e754845fc4361257d0ff
> http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_ia64.deb
> Size/MD5 checksum: 338256 4ff1206f8f3c618f7bfd406f88b38841
>
> powerpc architecture (PowerPC)
>
> http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_powerpc.deb
> Size/MD5 checksum: 237040 b50b3e1ac8586eb55a5f06201dd3edf2
> http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_powerpc.udeb
> Size/MD5 checksum: 173322 f1fa458555b787a2b7fc786da7974b91
> http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_powerpc.deb
> Size/MD5 checksum: 700518 fd43ca106400be36545f31b955667e22
> http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_powerpc.deb
> Size/MD5 checksum: 101080 a5005e3e3447f8eb75d99746a2704b8d
> http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_powerpc.udeb
> Size/MD5 checksum: 168320 61848a42ed513d232fceea6eb335e315
>
> sparc architecture (Sun SPARC/UltraSPARC)
>
> http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_sparc.deb
> Size/MD5 checksum: 218132 ce7a2f44e51c2fe6df31ec567ce65d28
> http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_sparc.deb
> Size/MD5 checksum: 99544 61cd81c98576feea92fb865856311b7d
> http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_sparc.deb
> Size/MD5 checksum: 639770 6085da0b96f1e9ee87abec7206eb7ef8
> http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_sparc.udeb
> Size/MD5 checksum: 166706 99368689bddbc70f98ef5f51aa19051a
> http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_sparc.udeb
> Size/MD5 checksum: 158360 07bf438d8e0d3fd02ff37371ff8645d6
>
>
> These files will probably be moved into the stable distribution on
> its next update.
>
> - ---------------------------------------------------------------------------------
> For apt-get: deb http://security.debian.org/ stable/updates main
> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
> Mailing list: debian-security-announce@lists.debian.org
> Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iQEVAwUBSCqu4797/wQC1SS+AQIvOgf9H/0Xn/paZyp8CCPPuQKBq162OpDhyaOg
> ZFCaOCK2Yv2hNdbPas1EhA2IBGTbmotmKbJcGeyWI9YMwPKY0NxJM8nk/RZ4sL5R
> KF+dALOZ+Vh+Dh333tp4ONvQUc50s78MZukCSoZ/z6i7Efr/dKzBN1rvsxcXs23D
> rZNI1WYmhZBmCSa10Yv93TeN4D1pN2a1rKgZ+a23DlKmAVQJcWm0TWOiMr4HUbMr
> usiEufXC/onF4O3dwVbsV2vOsPI6J4w9yTj1cAuevMDPTUo5ktZCx1PzVDS2wUQV
> wUs+HJ25yNHfw39gfseDzkQUYzlMFipIA59+jr2RbUOItWF3mPDU4Q==
> =m4ox
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
_________________________________________________________________
Juega y gana, tenemos 3 Xbox a la semana.
http://club.prodigymsn.com/
Reply to: