-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
--------------------------------------------------------------------------
Turbolinux Security Advisory TLSA-2005-100
http://www.turbolinux.co.jp/security/
security-team@turbolinux.co.jp
--------------------------------------------------------------------------
Original released date: 27 Dec 2005
Last revised: 27 Dec 2005
Package: openssh
Summary: GSSAPI credentials vulnerability
More information:
OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools
that increasing numbers of people on the Internet are coming to rely on.
The sshd in OpenSSH, when GSSAPIDelegateCredentials is enabled,
allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods,
which could cause those credentials to be exposed to untrusted users or hosts.
Impact:
This vulnerability may allow remote users to bypass access control rules.
Affected Products:
- Turbolinux FUJI
- Turbolinux 10 Server x64 Edition
- Turbolinux Appliance Server 1.0 Hosting Edition
- Turbolinux Appliance Server 1.0 Workgroup Edition
- Turbolinux 10 Server
- Turbolinux Home
- Turbolinux 10 F...
- Turbolinux 10 Desktop
- Turbolinux Multimedia
- Turbolinux Personal
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
Solution:
Please use the turbopkg (zabom) tool to apply the update.
---------------------------------------------
[Turbolinux 10 Server, Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home,
Turbolinux Multimedia, Turbolinux Personal]
# turbopkg
or
# zabom -u openssh openssh-askpass openssh-clients openssh-server
[other]
# turbopkg
or
# zabom update openssh openssh-askpass openssh-clients openssh-server
---------------------------------------------
<Turbolinux FUJI>
Source Packages
Size: MD5
openssh-4.1p1-3.src.rpm
950594 c1d0ee00669844f0455de1f5fb585c03
Binary Packages
Size: MD5
openssh-4.1p1-3.i686.rpm
235186 2dc8a3d6eb6c050201adb5bb160319a3
openssh-askpass-4.1p1-3.i686.rpm
37519 9741146cf16ef979886dba1a07ace57b
openssh-clients-4.1p1-3.i686.rpm
253865 13375624cc4809d990c76b1a6efb9453
openssh-server-4.1p1-3.i686.rpm
255229 5a378d4361902a7b975199f4973229ab
<Turbolinux 10 Server x64 Edition>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/SRPMS/openssh-3.9p1-7.src.rpm
908950 917aeb4ea1da347de04929439ee089f6
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/openssh-3.9p1-7.x86_64.rpm
202621 58080b9f2271fa1683642eda5d1f180e
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/openssh-askpass-3.9p1-7.x86_64.rpm
38451 5e5f234704643c8d5b7f94e24253aece
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/openssh-clients-3.9p1-7.x86_64.rpm
237026 e7f42e70afb2bd03d7bb974c1f4ce67c
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/openssh-server-3.9p1-7.x86_64.rpm
245746 3dd4df1042fcf0fca4bb912032625711
<Turbolinux Appliance Server 1.0 Hosting Edition>
Source Packages
Size: MD5
openssh-3.7.1p2-7.src.rpm
842986 fda8d477f6a145c963159e3aee38accd
Binary Packages
Size: MD5
openssh-3.7.1p2-7.i586.rpm
194229 914e02a0023560bc72cc7a6937ae6eb7
openssh-askpass-3.7.1p2-7.i586.rpm
34042 0896aadea058e4ee9a36265596b4147e
openssh-clients-3.7.1p2-7.i586.rpm
216292 039046262e06d5c251613c85129388bd
openssh-server-3.7.1p2-7.i586.rpm
225089 f1ff8f47e20800a2a7efe1aa5b28732f
<Turbolinux Appliance Server 1.0 Workgroup Edition>
Source Packages
Size: MD5
openssh-3.7.1p2-7.src.rpm
842986 4d397ef6c1786a862dd7099d441c6871
Binary Packages
Size: MD5
openssh-3.7.1p2-7.i586.rpm
194337 860a4b6f2d3dc4b1db17a70d84d166fd
openssh-askpass-3.7.1p2-7.i586.rpm
34232 ca66c23b8904521d18c95a8c87ec835a
openssh-clients-3.7.1p2-7.i586.rpm
216470 a87dc806e772ce1857cf854dbf11e81f
openssh-server-3.7.1p2-7.i586.rpm
225243 0e9f2adc1d7f43fdfc05139754be2bca
<Turbolinux 10 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/openssh-3.9p1-7.src.rpm
908950 d017c1fc3759bda87ea6d6964e7cd7c9
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/openssh-3.9p1-7.i586.rpm
189351 480bae9b168ba45ac1933626d3c53e95
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/openssh-askpass-3.9p1-7.i586.rpm
36522 3f8ad91ce93d6748bb15170c536d0a7d
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/openssh-clients-3.9p1-7.i586.rpm
215265 caaea4ee2cd8dcffd92da326bf8c3d25
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/openssh-server-3.9p1-7.i586.rpm
217280 2b9ce9b18a4f9920a222cd5664958cf4
<Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/openssh-3.8p1-7.src.rpm
879480 e7463192e296082b01652d1455e54118
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssh-3.8p1-7.i586.rpm
192898 74b1ed7f34377b61776e460b2b7a2620
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssh-askpass-3.8p1-7.i586.rpm
36419 bdbe10961d7e1231702b47567bcb53c9
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssh-clients-3.8p1-7.i586.rpm
211414 7639f743b9c535009c87257ef013a4e3
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssh-server-3.8p1-7.i586.rpm
214255 161b34502bbe5e7ad9314281d0916618
<Turbolinux 8 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/openssh-3.7.1p2-7.src.rpm
842986 2135415db1e00b6b153355d967847099
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssh-3.7.1p2-7.i586.rpm
194458 7ef26f0180d8b1f8b845032962b6c2d4
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssh-askpass-3.7.1p2-7.i586.rpm
34235 38ebbfa29398857618648d469221b718
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssh-askpass-gnome-3.7.1p2-7.i586.rpm
15515 0ccb7dd85750ab3f20ad64c5a9ff4ac2
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssh-clients-3.7.1p2-7.i586.rpm
216508 6f9dfa7a2bd5f6c49cb4984e2837361a
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssh-server-3.7.1p2-7.i586.rpm
225130 c8d1914051c07a5b9f2f6214c1ba0041
<Turbolinux 8 Workstation>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/openssh-3.7.1p2-7.src.rpm
842986 8b3e5198f6d7ba7d690782c4fb535dbf
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssh-3.7.1p2-7.i586.rpm
194461 effeca82e99c5f588287714900c9e0ce
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssh-askpass-3.7.1p2-7.i586.rpm
34233 efdbcf14cfc2864bc775ed43b0451065
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssh-clients-3.7.1p2-7.i586.rpm
216449 9b03d77831caa37e124d206fdd3ed001
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssh-server-3.7.1p2-7.i586.rpm
225125 8126b27f4c566ebf345c473fc61b81f9
<Turbolinux 7 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/openssh-3.7.1p2-7.src.rpm
842986 7aa39df615b1461b6ee8e9ae958eac4a
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssh-3.7.1p2-7.i586.rpm
190143 5592f9753f6ec7dbafe79c1b97844a48
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssh-askpass-3.7.1p2-7.i586.rpm
33729 556c66a88fbabfab0ac2eec954cbe671
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssh-clients-3.7.1p2-7.i586.rpm
210220 b230b893f0cb77acc181819f728ac423
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssh-server-3.7.1p2-7.i586.rpm
217921 626961bcb0c39eb7dc926d88750039cd
References:
CVE
[
CAN-2005-2798]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=
CAN-2005-2798
--------------------------------------------------------------------------
Revision History
27 Dec 2005 Initial release
--------------------------------------------------------------------------
Copyright(C) 2005 Turbolinux, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFDsMhoK0LzjOqIJMwRAlv5AJsHb4xKYcQc9cbyGocxWiF1mjJD9wCfR306
3Xsh5qVSAvXmDUiKcT2zxOs=
=A1sc
-----END PGP SIGNATURE-----