MDKSA-2005:172 - Updated openssh packages fix GSSAPI credentials vulnerability
Posted on: 10/06/2005 09:12 PM

The Mandriva Security Team published a new security update: MDKSA-2005:172 - Updated openssh packages fix GSSAPI credentials vulnerability for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Update Advisory
_______________________________________________________________________

Package name: openssh
Advisory ID: MDKSA-2005:172
Date: October 6th, 2005

Affected versions: 10.2
______________________________________________________________________

Problem Description:

Sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled,
allows GSSAPI credentials to be delegated to clients who log in using
non-GSSAPI methods, which could cause those credentials to be exposed
to untrusted users or hosts.

GSSAPI is only enabled in versions of openssh shipped in LE2005 and
greater.

The updated packages have been patched to correct this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?nameƊN-2005-2798
______________________________________________________________________

Updated Packages:

Mandrivalinux 10.2:
5b16f3323d58303c290bf4b8c4e2a4b3 10.2/RPMS/openssh-3.9p1-9.1.102mdk.i586.rpm
2a7fca4e1c99008a53cb9498c1bd9840 10.2/RPMS/openssh-askpass-3.9p1-9.1.102mdk.i586.rpm
65f397d175fb638d0e73912a7e9faa7d 10.2/RPMS/openssh-askpass-gnome-3.9p1-9.1.102mdk.i586.rpm
2733baa7c0258da37920d66a7f1ee9d3 10.2/RPMS/openssh-clients-3.9p1-9.1.102mdk.i586.rpm
a93cd3020e41bd6b25c3fa57ca8586f8 10.2/RPMS/openssh-server-3.9p1-9.1.102mdk.i586.rpm
f90cfc307f313e14ddd919fc729f1984 10.2/SRPMS/openssh-3.9p1-9.1.102mdk.src.rpm

Mandrivalinux 10.2/X86_64:
545f0245578cee586f2ded4b3616061a x86_64/10.2/RPMS/openssh-3.9p1-9.1.102mdk.x86_64.rpm
98962ab477d7cc19338d04acdb462ec1 x86_64/10.2/RPMS/openssh-askpass-3.9p1-9.1.102mdk.x86_64.rpm
0935a8dd00cdb2604e6fd37a6913cb91 x86_64/10.2/RPMS/openssh-askpass-gnome-3.9p1-9.1.102mdk.x86_64.rpm
7c124895fc7fad47d1e88ee3ebe91daf x86_64/10.2/RPMS/openssh-clients-3.9p1-9.1.102mdk.x86_64.rpm
27bc59e934f3d196470611cc4e9dd430 x86_64/10.2/RPMS/openssh-server-3.9p1-9.1.102mdk.x86_64.rpm
f90cfc307f313e14ddd919fc729f1984 x86_64/10.2/SRPMS/openssh-3.9p1-9.1.102mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDReVGmqjQ0CJFipgRAgi7AJoDZK/7jx9vTmuREYGwbuuHWPZBpgCeM6Nu
tKt935OPASf8jkciIGK6c2w=
=ekrb
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/_mdksa_2005172__updated_openssh_packages_fix__gssapi_credentials_vulnerability.html)