Mailing-List: contact cygwin-announce-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-announce-owner AT cygwin DOT com Delivered-To: mailing list cygwin-announce AT cygwin DOT com Delivered-To: moderator for cygwin-announce AT cygwin DOT com Date: Wed, 26 Jun 2002 18:50:10 +0200 From: Corinna Vinschen To: cygann Subject: Updated: OpenSSH-3.4p1-1 Message-ID: <20020626185010.F22705@cygbert.vinschen.de> Reply-To: cygwin Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.22.1i I've updated the version of OpenSSH to 3.4p1-1. This is a official bug fix release. Note that the Cygwin source differs in one file from the official source since a last minute patch of the official OpenSSH maintainers did break privilege separation for Cygwin again :-( So the Cygwin source archive contains a patched sshd.c. The comment given yesterday concerning privilege separation in Cygwin still applies: ======================================================================== This version allows to use privilege separation in a slightly restricted way. Since privilege separation is consisting of two independent parts (preauth, postauth) and only the postauth part requires descriptors passing, this version enables the usage of preauth privilege separation in Cygwin. Note that this doesn't create an additional sshd process as described in the README.privsep file and note that this isn't still as secure as fully-fledged privilege separation but it's a good start. Since using privilege separation requires creating a new account called "sshd" and creating a directory /var/empty, this is still not the default setting on Cygwin. If you want to use privilege separation, please follow the hints of the /usr/doc/openssh/README.privsep document. And please switch on your brain's abstraction layer since you can't obviously not use `useradd' and you can't obviously not create a group with the same name on NT systems. Creating that group isn't actually required, fortunately. ======================================================================== Ok, this release fixes a security problem in sshd. The following text is the... Official Security Advisory: ======================================================================== 1. Versions affected: All versions of OpenSSH's sshd between 2.9.9 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. OpenSSH 3.4 and later are not affected. OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled in sshd_config. OpenSSH 3.3 enables UsePrivilegeSeparation by default. Although OpenSSH 2.9 and earlier are not affected upgrading to OpenSSH 3.4 is recommended, because OpenSSH 3.4 adds checks for a class of potential bugs. 2. Impact: This bug can be exploited remotely if ChallengeResponseAuthentication is enabled in sshd_config. Affected are at least systems supporting s/key over SSH protocol version 2 (OpenBSD, FreeBSD and NetBSD as well as other systems supporting s/key with SSH). Exploitablitly of systems using PAM in combination has not been verified. 3. Short-Term Solution: Disable ChallengeResponseAuthentication in sshd_config. or Enable UsePrivilegeSeparation in sshd_config. 4. Solution: Upgrade to OpenSSH 3.4 or apply the following patches. 5. Credits: ISS. Appendix: A: Index: auth2-chall.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v retrieving revision 1.18 diff -u -r1.18 auth2-chall.c --- auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18 +++ auth2-chall.c 26 Jun 2002 09:37:03 -0000 @@ -256,6 +256,8 @@ authctxt->postponed = 0; /* reset */ nresp = packet_get_int(); + if (nresp > 100) + fatal("input_userauth_info_response: nresp too big %u", nresp); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++) B: Index: auth2-pam.c =================================================================== RCS file: /var/cvs/openssh/auth2-pam.c,v retrieving revision 1.12 diff -u -r1.12 auth2-pam.c --- auth2-pam.c 22 Jan 2002 12:43:13 -0000 1.12 +++ auth2-pam.c 26 Jun 2002 10:12:31 -0000 @@ -140,6 +140,15 @@ nresp = packet_get_int(); /* Number of responses. */ debug("got %d responses", nresp); + + if (nresp != context_pam2.num_expected) + fatal("%s: Received incorrect number of responses " + "(expected %u, received %u)", __func__, nresp, + context_pam2.num_expected); + + if (nresp > 100) + fatal("%s: too many replies", __func__); + for (i = 0; i < nresp; i++) { int j = context_pam2.prompts[i]; ======================================================================== And now the... Official Release Message: ==================================================================== OpenSSH 3.4 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support and encouragement. Changes since OpenSSH 3.3: ============================ Security Changes: ================= All versions of OpenSSH's sshd between 2.9.9 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. OpenSSH 3.4 fixes this bug. In addition, OpenSSH 3.4 adds many checks to detect invalid input and mitigate resource exhaustion attacks. OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled in sshd_config. OpenSSH 3.3 enables UsePrivilegeSeparation by default. Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller and Ben Lindstrom. ==================================================================== To update your installation, click on the "Install Cygwin now" link on the http://cygwin.com/ web page. This downloads setup.exe to your system. Once you've downloaded setup.exe, run it and select "Net" and then click on the appropriate field until the above announced version number appears if it is not displayed already. If you have questions or comments, please send them to the Cygwin mailing list at: cygwin AT cygwin DOT com . I would appreciate it if you would use this mailing list rather than emailing me directly. This includes ideas and comments about the setup utility or Cygwin in general. If you want to make a point or ask a question, the Cygwin mailing list is the appropriate place. *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO *** If you want to unsubscribe from the cygwin-announce mailing list, look at the "List-Unsubscribe: " tag in the email header of this message. Send email to the address specified there. It will be in the format: cygwin-announce-unsubscribe-you=yourdomain DOT com AT cygwin DOT com If you need more information on unsubscribing, start reading here: http://sources.redhat.com/lists.html#unsubscribe-simple Please read *all* of the information on unsubscribing that is available starting at this URL. I implore you to READ this information before sending email about how you "tried everything" to unsubscribe. In 100% of the cases where people were unable to unsubscribe, the problem was that they hadn't actually read and comprehended the unsubscribe instructions. If you need to unsubscribe from cygwin-announce or any other mailing list, reading the instructions at the above URL is guaranteed to provide you with the info that you need. -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin AT cygwin DOT com Red Hat, Inc.