Slackware: 'openssh' PAM vulnerability
Posted by LinuxSecurity.com Team   
Slackware Upgraded OpenSSH 3.7.1p2 packages are available for Slackware 8.1,9.0 and -current. This fixes security problems with PAMauthentication. It also includes several code cleanups from SolarDesigner.

[slackware-security]  New OpenSSH packages (SSA:2003-266-01)

Upgraded OpenSSH 3.7.1p2 packages are available for Slackware 8.1,
9.0 and -current.  This fixes security problems with PAM
authentication.  It also includes several code cleanups from Solar
Designer.

Slackware is not vulnerable to the PAM problem, and it is not
believed that any of the other code cleanups fix exploitable
security problems, not nevertheless sites may wish to upgrade.

These are some of the more interesting entries from OpenSSH's
ChangeLog so you can be the judge:

     [buffer.c]
     protect against double free; #660;  zardoz at users.sf.net
   - markus@cvs.openbsd.org 2003/09/18 08:49:45
     [deattack.c misc.c session.c ssh-agent.c]
     more buffer allocation fixes; from Solar Designer; CAN-2003-0682;
     ok millert@
 - (djm) Bug #676: Fix PAM stack corruption
 - (djm) Fix bad free() in PAM code


WHERE TO FIND THE NEW PACKAGES:
+-----------------------------+

Updated package for Slackware 8.1: 
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssh-3.7.1p2-i386-1.tgz

Updated package for Slackware 9.0: 
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/openssh-3.7.1p2-i386-1.tgz

Updated package for Slackware -current: 
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssh-3.7.1p2-i486-1.tgz


MD5 SIGNATURES:
+-------------+

Slackware 8.1 package:
7ee5b3d42fc539325afe1c5c9bb75e95  openssh-3.7.1p2-i386-1.tgz

Slackware 9.0 package:
a8869a2c33e62075eed6a5ed03600bfa  openssh-3.7.1p2-i386-1.tgz

Slackware -current package:
9b5c5f292809524b1b54466e9c98407f  openssh-3.7.1p2-i486-1.tgz


INSTALLATION INSTRUCTIONS:
+------------------------+

(This procedure is safe to do while logged in through OpenSSH)

Upgrade using upgradepkg (as root):
# upgradepkg openssh-3.7.1p2-i386-1.tgz

Restart OpenSSH:
. /etc/rc.d/rc.sshd restart


+-----+

Slackware Linux Security Team 
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back.  Follow the instructions to  |
| complete the unsubscription.  Do not reply to this message to          |
| unsubscribe!                                                           |
+------------------------------------------------------------------------+