OpenSSH-3.7 released (fixes Buffer Management bug)

unSpawn · 09-16-2003, 12:29 PM

OpenSSH 3.7 released September 16, 2003.
OpenSSH 3.7 and newer are not vulnerable to "September 16, 2003: OpenSSH Buffer Management bug", OpenSSH Security Advisory: http://www.openssh.com/txt/buffer.adv:

Subject: OpenSSH Security Advisory: buffer.adv
This is the 1st revision of the Advisory.
This document can be found at: http://www.openssh.com/txt/buffer.adv

1. Versions affected:
All versions of OpenSSH's sshd prior to 3.7 contain a buffer
management error. It is uncertain whether this error is
potentially exploitable, however, we prefer to see bugs
fixed proactively.

2. Solution:
Upgrade to OpenSSH 3.7 or apply the following patch.

jeremy · 09-16-2003, 01:19 PM

Just wanted to note. An exploit for this *seems* to be in the wild so patch your systems ASAP!

--jeremy

seabass55 · 09-16-2003, 08:07 PM

3.7.1 has been released....3.7 doesn't fix all problems. Patch up!

smazzux · 09-16-2003, 08:21 PM

i've found that it double every backslash in my banner file..
older versions didn't
it's not a big prob, but quite annoying..

jeremy · 09-16-2003, 10:32 PM

Another note. Seems 3.7 didn't fix the bug. Time to upgrade to 3.7.1!

Quote:

Subject: OpenSSH Security Advisory: buffer.adv

This is the 2nd revision of the Advisory.

This document can be found at: http://www.openssh.com/txt/buffer.adv

1. Versions affected:

All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
management errors. It is uncertain whether these errors are
potentially exploitable, however, we prefer to see bugs
fixed proactively.

Other implementations sharing common origin may also have
these issues.

2. Solution:

Upgrade to OpenSSH 3.7.1 or apply the following patch.

http://www.openssh.com/txt/buffer.adv

--jeremy

unSpawn · 09-17-2003, 06:42 AM

//moderator.note: thread opened, merges.

ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog snippet says:

Code:

20030917
 - (djm) OpenBSD Sync
   - markus@cvs.openbsd.org 2003/09/16 21:02:40
     [buffer.c channels.c version.h]
     more malloc/fatal fixes; ok millert/deraadt; ghudson at MIT.EDU
 - (djm) Crank RPM spec versions
 - (djm) Release 3.7.1p1

Thread wrt fatal() see: Full-Disclosure.

Btw, did anyone notice clientside directive problems with "VerifyHostKeyDNS"?

markng · 09-23-2003, 10:48 PM

Hi guys,

I tried to patch my Redhat 8.0 box with the rpms downloaded from Redhats site and I get this error.

----------------
warning: openssh-3.4p1-7.i386.rpm: V3 DSA signature: NOKEY, key ID db42a60e
error: Failed dependencies:
openssh = 3.4p1-2 is needed by (installed) openssh-clients-3.4p1-2
openssh = 3.4p1-2 is needed by (installed) openssh-server-3.4p1-2

---------------

I've already stopped sshd. What am I missing here? Any help is greatly appreciated.

Thanks

Capt_Caveman · 09-23-2003, 11:41 PM

I believe you need to upgrade all the ssh-related packages, not just ssh itself. Go to: https://rhn.redhat.com/errata/RHSA-2003-279.html and download all the rpms for your specific redhat distro. So you'll need:

openssh-3.4p1-7.i386.rpm
openssh-askpass-3.4p1-7.i386.rpm
openssh-askpass-gnome-3.4p1-7.i386.rpm
openssh-clients-3.4p1-7.i386.rpm
openssh-server-3.4p1-7.i386.rpm

That should solve your dependency problems.

Capt_Caveman · 09-23-2003, 11:49 PM

Looks like the most recent openSSH patch has a potentially remotely exploitable bug as well. However, only OpenSSH versions 3.7p1 and 3.7.1p1 are vulnerable (patched Redhat versions are alright) and that's only if you have turned on PAM-based authentication. Read the advisory here:

http://www.securityfocus.com/archive/121/338617