Debian: 'ssh-nonfree' 'ssh-socks' Remote root vulnerability
Posted by Team   
Debian We have received reports that the "SSH CRC-32 compensation attackdetector vulnerability" is being actively exploited. This is the sameinteger type error previously corrected for OpenSSH in DSA-027-1.OpenSSH (the Debian ssh package) was fixed at that time, butssh-nonfree and ssh-socks were not.

Debian Security Advisory DSA 086-1                                             Michael Stone
November 13, 2001

Package: ssh-nonfree, ssh-socks
Vulnerability: remote root exploit
Debian-specific: no

We have received reports that the "SSH CRC-32 compensation attack
detector vulnerability" is being actively exploited. This is the same
integer type error previously corrected for OpenSSH in DSA-027-1.
OpenSSH (the Debian ssh package) was fixed at that time, but
ssh-nonfree and ssh-socks were not.

Though packages in the non-free section of the archive are not
officially supported by the Debian project, we are taking the unusal
step of releasing updated ssh-nonfree/ssh-socks packages for those
users who have not yet migrated to OpenSSH. However, we do recommend
that our users migrate to the regularly supported, DFSG-free "ssh"
package as soon as possible. ssh 1.2.3-9.3 is the OpenSSH package
available in Debian 2.2r4.

The fixed ssh-nonfree/ssh-socks packages are available in version
1.2.27-6.2 for use with Debian 2.2 (potato) and version 1.2.27-8 for
use with the Debian unstable/testing distribution. Note that the new
ssh-nonfree/ssh-socks packages remove the setuid bit from the ssh
binary, disabling rhosts-rsa authentication. If you need this
functionality, run
 chmod u+s /usr/bin/ssh1
after installing the new package.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 2.2 alias potato

  Source archives:
      MD5 checksum: 92161c3468189f17eb17421fd2e91f1e
      MD5 checksum: 8ba9a4c2d4059b973e6c46bb6ab88958
      MD5 checksum: c22bc000bee0f7d6f4845eab72a81395

  Alpha architecture:
      MD5 checksum: 90996c54a25e41d743826648d4160f85
      MD5 checksum: bd7a26a286ee8f21e17c943cacb085cc
      MD5 checksum: 4c979615edf37d2b980f1d5421f32933

  ARM architecture:

    Not yet available

  Intel ia32 architecture:
      MD5 checksum: e43c6b7ad3a6cf71d07f528ad9adb34c
      MD5 checksum: e4f6db9acb54b9e3dc75315a66207840
      MD5 checksum: 0eab3e6250c3aa4130ec5a2f719531e6

  Motorola M680x0 architecture:
      MD5 checksum: 903221f1d6b2770aacafe5ec059199bc
      MD5 checksum: a491728bdd38a38a0ed9257eb7d8f610
      MD5 checksum: 5c8b6771e7c287ba4794f41db771d879

  PowerPC architecture:
      MD5 checksum: c0366ff3cb037054da92b597d3c48aee
      MD5 checksum: 64eb49a847c7e2c16463375948fb1903
      MD5 checksum: 2b530b0590aa372c8c77cc8e80ed01e2

  Sun Sparc architecture:
      MD5 checksum: 1a1844a143bcd2daae80a70005c74084
      MD5 checksum: bfcc81152d02d6bc1f5a93018fe56835
      MD5 checksum: 3d69332e3c134251439b64f4e379cb68

For not yet released architectures please refer to the appropriate
directory$arch/ .

For apt-get: deb stable/updates main non-free
For dpkg-ftp: dists/stable/updates/main dists/stable/updates/non-free
Mailing list: