Author: JT Smith
Category:
Author: JT Smith
Minutes of the GNOME Board meeting December 6 2001
===================================================
Presents:
=========
Havoc Pennington (chairing)
Daniel Veillard (minutes)
Miguel de Icaza
Nat Friedman
James Henstridge
Telsa Gwynne
Federico Mena
Jonathan Blandford
Jody Goldberg
Jim Gettys
George Lebl
Tim Ney
Administrativia:
================
- this was the first teleconference of the new board
- it ran for twice as long as usual meeting to start the
work in the new group.
Decisions:
==========
- Deciding normal time/frequency of board meetings
- GUADEC III is expected to take place in Seville, Spain, 4-6th of April 2002
- The new board thanks the people who served on the board last year and the
Election Committee who ran the election this year
- Investigating moving to ssh for GNOME CVS authentication if feasible
Actions done:
=============
ACTION: Tim to organize a confcall with the Guadec 3 organizers in Spain
Dan and Havoc will join the call
=> Done, with Dan, Havoc, Leslie and the core of the local organizing
comitee met on the phone
Actions:
========
ACTION: Tim to get the membership logos on the foundation page
=> in progress.
ACTION: Tim, John and Havoc to get a draft statement on the relation
with the free software and license policy.
=> Tim and Havoc will continue
ACTION: Tim to work on the Trademark registration for "GNOME" and the foot.
=> in progress
ACTION: Jim to restart the font discussions with various parties
=> in progress
New Actions:
============
ACTION: Havoc to fix the board list to reflect the new group
=> Done
ACTION: Nat to solve the arrangement for the teleconferences
ACTION: Nat and Jonathan talk to gnome-sysadmin about adding ssh
tunelling for GNOME ssh access
Discussion:
===========
- approve last meeting minutes:
The people present on the last board meeting think they are accurate.
http://mail.gnome.org/archives/foundation-announce/2001-December/msg00000.html
- The current board thanks the previous board members for serving
the foundation during the last year.
- The board also thanks the Election Committee for a job well done,
the election process was clear and proceeded smoothly.
- Outline how the board has been working so far:
10 first minutes discussing the current situation
Check the state of the log of actions + approval of previous meeting minutes
Agenda + chair + minute and try to keep on topic
Try to work by consensus
Meetings were every 2 weeks, one hour each
If someone misses the call, they should send regrets to the board list and
this will be recorded
- Briefing on some of the recent/pending issues we've been dealing with
extend the list:
- incorporation process:
Tim explained the current state of the incorporation. Currently
working on:
+ tax exemption status
+ trademarking the GNOME Foot and the "GNOME" name
+ Licensing and Copyright policies
- Marketing Working Group: started by Leslie Proctor with representative
from Gnome companies, includes a plan about shows and releases
- fonts:
Jim Gettys explained the status of the efforts done to get freely
redistributable fonts
The goal is to solve the font installation problem in general (i.e.
for all free XWindow desktops)
- Work out when to have future meetings
Tuesday every weeks for an hour for the next month and probably back to
a meeting every 2 weeks thereafter.
- GUADEC 3:
Tentatively the next GUADEC will take place in Seville, 4-6th of April 2002
- Moving to ssh for GNOME CVS authentication
pserver is not secure, the board think it's a good idea to try to use
ssh assuming the sysadmin team thinks it's doable/maintainable.
- Who wants to chair/secretary the next meetings
Havoc and Daniel will repectively chair and take minutes for the next month,
officers will be elected within the board in January or early next year.
- Next meeting next Tuesday 11 December
Daniel
--
Daniel Veillard | Red Hat Network https://rhn.redhat.com/
veillard@redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/
_______________________________________________
Category:
Author: JT Smith
Category:
Author: JT Smith
Author: JT Smith
Category:
Author: JT Smith
=============================================================================
FreeBSD-SA-01:63 Security Advisory
FreeBSD, Inc.
Topic: OpenSSH UseLogin directive permits privilege escalation
[REVISED]
Category: core/ports
Module: openssh
Announced: 2001-12-02
Revised: 2001-12-06
Credits: Markus Friedl markus@OpenBSD.org>Affects: FreeBSD 4.3-RELEASE, 4.4-RELEASE
FreeBSD 4.4-STABLE prior to the correction date
Ports collection prior to the correction date
Corrected: 2001-12-03 00:53:28 UTC (RELENG_4)
2001-12-03 00:54:18 UTC (RELENG_4_4)
2001-12-03 00:54:54 UTC (RELENG_4_3)
2001-12-02 06:52:40 UTC (openssh port)
FreeBSD only: NO
0. Revision History
v1.0 2001-12-02 Initial release
v1.1 2001-07-31 Corrected patch instructions
I. Background
OpenSSH is an implementation of the SSH1 and SSH2 secure shell
protocols for providing encrypted and authenticated network access,
which is available free for unrestricted use. Versions of OpenSSH are
included in the FreeBSD ports collection and the FreeBSD base system.
II. Problem Description
OpenSSH includes a feature by which a user can arrange for
environmental variables to be set depending upon the key used for
authentication. These environmental variables are specified in the
`authorized_keys' (SSHv1) or `authorized_keys2' (SSHv2) files in the
user's home directory on the server. This is normally safe, as this
environment is passed only to the user's shell, which is invoked with
user privileges.
However, when the OpenSSH server `sshd' is configured to use
the system's login program (via the directive `UseLogin yes' in
sshd_config), this environment is passed to login, which is invoked
with superuser privileges. Because certain environmental variables
such as LD_LIBRARY_PATH and LD_PRELOAD can be set using the previously
described feature, the user may arrange for login to execute arbitrary
code with superuser privileges.
All versions of FreeBSD 4.x prior to the correction date including
FreeBSD 4.3 and 4.4 are potentially vulnerable to this problem.
However, the OpenSSH server is configured to not use the system login
program (`UseLogin no') by default, and is therefore not vulnerable
unless the system administrator has changed this setting.
In addition, there are two versions of OpenSSH included in the
ports collection. One is ports/security/openssh, which is the
BSD-specific version of OpenSSH. Versions of this port prior to
openssh-3.0.2 exhibit the problem described above. The other is
ports/security/openssh-portable, which is not vulnerable, even if the
server is set to `UseLogin yes'.
III. Impact
Hostile but otherwise legitimate users that can successfully
authenticate using public key authentication may cause /usr/bin/login
to run arbitrary code as the superuser.
If you have not enabled the 'UseLogin' directive in the sshd
configuration file, you are not vulnerable to this problem.
IV. Workaround
Doing one of the following will eliminate the vulnerability:
1) Configure sshd to not use the system login program. Edit the
server configuration file and change any `UseLogin' directives
to `UseLogin no'. This is the preferred workaround.
2) If for whatever reason, disabling `UseLogin' is not possible,
then one can instead disable public key authentication. Edit the
server configuration file and change any `RSAAuthentication',
`DSAAuthentication', or `PubKeyAuthentication' directives
to `RSAAuthentication no', `DSAAuthentication no', and
`PubKeyAuthentication no', respectively.
For sshd included in the base system (/usr/bin/sshd), the
server configuration file is `/etc/ssh/sshd_config'. For sshd
from the ports collection, the server configuration file is
`/usr/local/etc/sshd_config'.
After modifying the sshd configuration file, the sshd daemon must be
restarted by executing the following command as root:
# kill -HUP `cat /var/run/sshd.pid`
V. Solution
1) Upgrade the vulnerable system to 4.3-RELEASEp21, 4.4-RELEASEp1, or
4.4-STABLE after the correction date, or patch your current system
source code and rebuild.
2) FreeBSD 4.x systems prior to the correction date:
The following patch has been verified to apply to FreeBSD
4.3-RELEASE, 4.4-RELEASE, and 4.4-STABLE dated prior to the
correction date. It may or may not apply to older, unsupported
versions of FreeBSD.
Download the patch and the detached PGP signature from the following
locations, and verify the signature using your PGP utility.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:63/sshd.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:63/sshd.patch.asc
Execute the following commands as root:
# cd /usr/src/crypto/openssh
# patch security-officer@FreeBSD.org is requested so we can improve the
process for future advisories.
During the installation procedure, backup copies are made of the files
which are replaced by the package. These backup copies will be
reinstalled if the package is removed, reverting the system to a
pre-patched state. In addition, the package automatically restarts
the sshd daemon if it is running.
Three versions of the upgrade package are available, depending on
whether or not the system has the kerberosIV or kerberos5
distributions installed.
3a) For systems without kerberosIV or kerberos5 installed:
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-01.63.tgz
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-01.63.tgz.asc
Verify the detached PGP signature using your PGP utility.
# pkg_add security-patch-sshd-01.63.tgz
3b) For systems with kerberosIV only installed:
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-01.63.tgz
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-01.63.tgz.asc
Verify the detached PGP signature using your PGP utility.
# pkg_add security-patch-sshd-kerberosIV-01.63.tgz
3c) For systems with kerberos5 only installed:
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberos5-01.63.tgz
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberos5-01.63.tgz.asc
Verify the detached PGP signature using your PGP utility.
# pkg_add security-patch-sshd-kerberos5-01.63.tgz
3d) For systems with both kerberosIV and kerberos5 installed:
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-kerberos5-01.63.tgz
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-kerberos5-01.63.tgz.asc
Verify the detached PGP signature using your PGP utility.
# pkg_add security-patch-sshd-kerberosIV-kerberos5-01.63.tgz
[Ports collection]
One of the following:
1) Upgrade your entire ports collection and rebuild the OpenSSH port.
2) Deinstall the old package and install a new package dated after the
correction date, obtained from:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/openssh-3.0.2.tgzftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/openssh-3.0.2.tgz
[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
NOTE: It may be several days before updated packages are available. Be
sure to check the file creation date on the package, because the
version number of the software has not changed.
3) Download a new port skeleton for the openssh port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgzftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
VI. Correction details
Path Revision
Branch
-------------------------------------------------------------------------
src/crypto/openssh/session.c
HEAD 1.18
RELENG_4 1.4.2.11
RELENG_4_4 1.4.2.8.4.1
RELENG_4_3 1.4.2.8.2.1
src/crypto/openssh/version.h
HEAD 1.9
RELENG_4 1.1.1.1.2.7
RELENG_4_4 1.1.1.1.2.5.2.1
RELENG_4_3 1.1.1.1.2.4.2.1
ports/security/openssh/Makefile 1.79
-------------------------------------------------------------------------
For OpenSSH included in the base system, there is a version string
indicating which FreeBSD localizations are available. The following
table lists the version strings for each branch which include this
security fix:
Branch Version string
-------------------------------------------------------------------------
HEAD OpenSSH_2.9 FreeBSD localisations 20011202
RELENG_4 OpenSSH_2.9 FreeBSD localisations 20011202
RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20011202
RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20011202
-------------------------------------------------------------------------
To view the version string of the OpenSSH server, execute the following
command:
% /usr/sbin/sshd -?
The version string is also displayed when a client connects to the
server.
VII. References
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c#rev1.110>
Category:
Author: JT Smith
---------------------------------------------------------------------
Red Hat, Inc. Red Hat Security Advisory
Synopsis: Updated secureweb packages available
Advisory ID: RHSA-2001:164-08
Issue date: 2001-12-05
Updated on: 2001-12-07
Product: Red Hat Secure Web Server
Keywords: secureweb directory listing
Cross references: RHSA-2001:126
Obsoletes: RHBA-2000:020
---------------------------------------------------------------------
1. Topic:
Updated packages are now available for Red Hat Secure Web Server 3.2 (U.S.).
These updates close a potential security hole which would present clients
with a listing of the contents of a directory instead of the contents of an
index file or the proper error message.
2. Relevant releases/architectures:
Red Hat Secure Web Server 3.2 - i386
3. Problem description:
By using a carefully constructed HTTP request, a server with
mod_negotiation and either mod_dir or mod_autoindex loaded could be tricked
into displaying a listing of the contents of a directory, despite the
presence of an index file.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CAN-2001-0730, and CAN-2001-0731 to these issues.
4. Solution:
The main secureweb package is provided as an rhmask file. In order to
generate the actual secureweb RPM package, you will need the
secureweb-3.2-12 package file from the Secure Web Server CD. Then, using
the rhmask command, generate the secureweb RPM package:
rhmask secureweb-3.2-12.i386.rpm secureweb-3.2.4-1.i386.rpm.rhmask
Before applying this update, make sure you have applied all previously
released errata relevant to your system.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
6. RPMs required:
Red Hat Secure Web Server 3.2:
i386:
ftp://updates.redhat.com/3.2/en/secureweb/i386/secureweb-3.2.4-1.i386.rpm.rhmaskftp://updates.redhat.com/3.2/en/secureweb/i386/secureweb-devel-3.2.4-1.i386.rpmftp://updates.redhat.com/3.2/en/secureweb/i386/secureweb-manual-3.2.4-1.i386.rpm
7. Verification:
MD5 sum Package Name
--------------------------------------------------------------------------
3097ba872708a54b64354a54a3e38771 3.2/en/secureweb/i386/secureweb-3.2.4-1.i386.rpm.rhmask
93f2a1bbe394454bf35c665b5ceebddf 3.2/en/secureweb/i386/secureweb-devel-3.2.4-1.i386.rpm
f819ce00eea66d0524cba6f92c7a661e 3.2/en/secureweb/i386/secureweb-manual-3.2.4-1.i386.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at:
http://www.redhat.com/about/contact/pgpkey.html
You can verify each package with the following command:
rpm --checksig
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0730http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0731http://www.apacheweek.com/issues/01-10-05#securityhttp://httpd.apache.org/dist/httpd/CHANGES_1.3http://www.securityfocus.com/bid/3009
Copyright(c) 2000, 2001 Red Hat, Inc.
Category:
Author: JT Smith
Author: JT Smith
From: Roman Drahtmueller <draht@suse.de>
To: <bugtraq@securityfocus.com>
Subject: SuSE Security Announcement: openssh (SuSE-SA:2001:045) (re-released
SuSE-SA:2001:044)
Date: Thu, 6 Dec 2001 22:01:45 +0100 (MET)
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: openssh
Announcement-ID: SuSE-SA:2001:045
Date: Thursday, Dec 6th 2001 21:30 MET
Affected SuSE versions: 6.4, 7.0, 7.1, 7.2, 7.3
Vulnerability Type: local privilege escalation
Severity (1-10): 5
SuSE default package: yes
Other affected systems: systems running openssh
Content of this advisory:
1) security vulnerability resolved: openssh
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) Re-release of SuSE Security Announcement SuSE-SA:2001:044, brief history,
Clarification, new problem fixed, upgrade information.
This is a re-release of the SuSE Security Announcement SuSE-SA:2001:044,
adding another bugfix for the openssh package as well as more detailed
information about the vulnerabilities to prevent misunderstandings.
The currently supported SuSE distributions 6.4 and newer come with two
implementations of the secure shell protocol: The package names are
"ssh" and "openssh".
Brief history:
In 1998, a vulnerability of the secure shell protocol in version 1 has
been discovered and named "crc32 compensation attack". The vulnerability
allows an attacker to insert arbitrary sequences into the ssh-1 protocol
layer. At that time, an added patch fixed the problem in the ssh
implementation (visible in the client-side verbose output of the ssh
command (-v): "Installing crc compensation attack detector.").
In early 2001, Michal Zalewski discovered that the widely used patch
was defective and opened another security hole which is being actively
exploited today. SuSE Security announcement SuSE-SA:2001:004, published
February 16th 2001, available at *[1], addresses this defective patch,
among other issues.
Clarification/Apology:
Our last openssh security announcement SuSE-SA:2001:044 (*[3]) may falsely
lead to assume that the openssh-2.9.9p2 update packages on our ftp
server fix the vulnerabilities known as crc32 compensation attack.
This is incorrect since the openssh-2.3.0 packages released with SuSE
Security announcement SuSE-SA:2000:047 in November 2000, available at
*[2], already fixed the mentioned (among other) problems. The release
of the openssh-2.9.9p2 update packages obsoletes the openssh-2.3.0 update
packages.
We explicitly regret the used wording and apologize to the openssh
development team, in particular Markus Friedl and Theo De Raadt, and
thank them for their excellent work on the project.
Scanning utilities that can be found on the internet connect to port 22
of a server and read the version string. It should be noted that the bare
knowlege of the secure shell protocol version string does not allow to
determine whether a running secure shell daemon is actually vulnerable
to the defective fix for the crc32 compensation attack.
SuSE security receive dozens of requests about statements if the daemons
in use are vulnerable or not. Please see reference *[1].
New problem fixed:
This re-release of SuSE Security Announcement SuSE-SA:2001:044 (please
see reference *[3] below) adds another patch to the openssh-2.9.9p2
packages: A bug allows a local attacker on the server to specify
environment variables that can influence the login process if the
"UseLogin" configuration option on the server side is set to "yes".
If exploited, the local attacker on the secure shell server can execute
arbitrary commands as root.
In the default configuration of the package, the UseLogin option is set
to "no", which means that the administrator of the server must have set
the option to "yes" manually before the bug can be exploited.
Users who upgraded their SuSE openssh package before December 6th 2001
should upgrade their package again. Use the command "rpm -q openssh"
to see which version/release of the package you have installed, and
compare this version with the one as listed below.
Upgrade information:
You can find out which implementation of the ssh protocol you are using
with the command "rpm -qf /usr/bin/ssh".
If you use the ssh-1.2.* package, please read Reference *[1].
If you use the openssh-* package, please download the rpm package for
your distribution from the URL list below, verify its integrity using
the methods as described in section 3) of this security announcement
and install the package using the command
rpm -Uhv file.rpm
where file.rpm is the filename of the package that you have downloaded.
References:
*[1]: http://www.suse.de/de/support/security/adv004_ssh.txt
*[2]: http://www.suse.de/de/support/security/2000_047_openssh_txt.txt
*[3]: http://www.suse.de/de/support/security/2001_044_openssh_txt.txt
SPECIAL INSTALL INSTRUCTIONS:
The sshd secure shell daemon on the server side has to be restarted for
the new package to become active. If you are logged on on the console,
the simple command "rcsshd restart" should do this for you.
If you are logged on via secure shell, you should make sure that you
do not terminate the connections that are established through the running
secure shell daemon/its children. In this case, kill the daemon after
package installation using the command
kill -TERM `cat /var/run/sshd.pid`
and then restart the daemon with the command
/usr/sbin/sshd
as root.
Then, verify that the login procedure works as before. One of the main
changes in the new openssh package is that the file
$HOME/.ssh/authorized_keys2 is only read by the server if the file
$HOME/.ssh/authorized_keys does not exist and if protocol version 2 is
being used. The file $HOME/.ssh/authorized_keys2 can be removed after
its contents have been added to $HOME/.ssh/authorized_keys.
The two configuration files /etc/ssh/sshd_config (server side) and
/etc/ssh/ssh_config (client side) contained in the openssh package
do not get overwritten upon installation or upgrade, if you have changed
them manually. Instead, the new configuration files are written with a
.rpmnew suffix. The defaults as provided in the SuSE package make an
effort to establish both convenience as well as security.
NOTE: Packages for SuSE Linux distributions 7.0 and older containing
cryptographic software are located on our German ftp server ftp.suse.de
for legal reasons. Packages for all other distributions (7.1 and newer)
can be found at their regular path at ftp.suse.com.
i386 Intel Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec1/openssh-2.9.9p2-74.i386.rpm
f3d60cce6d62dbf79c36a849811c19d7
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/openssh-2.9.9p2-74.src.rpm
4246e40b1e5a7b4456f2bb4c05177126
SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec1/openssh-2.9.9p2-74.i386.rpm
3764a15b17b0823c6fa2e8e4aee5af69
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/openssh-2.9.9p2-74.src.rpm
e9cccadf767cb80e3c588266d6886153
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec1/openssh-2.9.9p2-73.i386.rpm
4dbcdb2a544cadd36749baea890bc38e
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/openssh-2.9.9p2-73.src.rpm
04400597a1b9526bc78344e8e523fa40
SuSE-7.0
ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/openssh-2.9.9p2-73.i386.rpm
29dcc882bf30cbe88c94b07bb84e7216
source rpm:
ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/openssh-2.9.9p2-73.src.rpm
b852431e4711d7f45a8bd180532325b0
SuSE-6.4
ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/openssh-2.9.9p2-73.i386.rpm
8cfe1e9d2dd964851acb42e1e13311b9
source rpm:
ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/openssh-2.9.9p2-73.src.rpm
a3686e39258d03c99fc2ba3573325c2a
Sparc Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec1/openssh-2.9.9p2-24.sparc.rpm
32d3a1c735d2c27cb580fedeeed3a135
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/openssh-2.9.9p2-24.src.rpm
82540b2297b2d03d45118b3c23a72bf8
SuSE-7.1
The update packages for the SuSE Linux 7.1 Sparc distributions are not
available yet. The package can soon be found at
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/sec1/openssh.rpm
SuSE-7.0
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/openssh-2.9.9p2-24.sparc.rpm
638891762f09e01b83e9c39c184ce9ea
source rpm:
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/openssh-2.9.9p2-24.src.rpm
ad3520ad8907c585f84facb742fc03bf
AXP Alpha Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/axp/update/7.1/sec1/openssh-2.9.9p2-26.alpha.rpm
04e815054c9bc3a1b0a1ddda8c6e2d10
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/openssh-2.9.9p2-26.src.rpm
32c39e29517fc8269f252f7cc6f18bce
The update packages for the SuSE Linux AXP/Alpha distributions before
SuSE-7.1 are not available on our ftp server yet. These packages can be
found at the usual location in the update paths on ftp.suse.de.
PPC Power PC Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec1/openssh-2.9.9p2-49.ppc.rpm
4b056c828675898bf482e9ecb4f91a0b
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/openssh-2.9.9p2-49.src.rpm
e10ed49e7319c244caf324a64f16c738
SuSE-7.1
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/sec1/openssh-2.9.9p2-49.ppc.rpm
163126a80ff0167b34c041348ef5c3c4
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/openssh-2.9.9p2-49.src.rpm
948862c53dc62e921b03766c986a4de2
SuSE-7.0
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/openssh-2.9.9p2-48.ppc.rpm
aff3785ac9670daa0e06445ad9b5a2b9
source rpm:
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/openssh-2.9.9p2-48.src.rpm
ccfb132470cb61b52688fc12f1352b12
SuSE-6.4
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/openssh-2.9.9p2-48.ppc.rpm
ae20b7379474735126636aed05f6eeee
source rpm:
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/openssh-2.9.9p2-48.src.rpm
2351d7667c02a1ad33e21bd39196cf0a
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- We are currently testing kernel update packages for the recently
found local security flaw in the ELF binary loader in the Linux
kernel of all v2.4 versions and expect to be able to announce these
update rpm packages soon with a re-release of our kernel security
announcement.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum <name-of-the-file.rpm>
after you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security@suse.de),
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an uninstalled rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SuSE in rpm packages for SuSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SuSE Linux distributions version 7.1 and thereafter install the
key "build@suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the toplevel directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
- SuSE runs two security mailing lists to which any interested party may
subscribe:
suse-security@suse.com
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe@suse.com>.
suse-security-announce@suse.com
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe@suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info@suse.com> or
<suse-security-faq@suse.com> respectively.
=====================================================================
SuSE's security contact is <security@suse.com> or <security@suse.de>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the cleartext signature shows proof of the
authenticity of the text.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CpkBogQ57vSBEQQAk/GN+ftr7+DBlSoixDDpfRnUk+jApGEt8hCnrnjV
nPs/9Cr33+CXLQbILOO7Y5oiPbJdHh45t4E0fKyLVzDerCRFB1swz/mNDxT26DLy
sdBV5fwNHTPhxa67goAZVrehQPqJEckkIpYriOaYcKpF3n5fQIZMEfMaHEElQhcX
ML8AoJVXDkJYh7vI8EUB8ZURNLZMEECNA/sH0MCnb4Q6ZcRyeZ3+1PHP8hP73b6T
epRdLZhaylwVF/iu7uIn62ZUL4//NTOCDY7V63qg4iba/fUbOsWtEnGaiE7mQuAl
sSWvRspwRA9/g9rdVf3/JdLJrLmKBTheyG+PSJE3W7cAE4ZWafGxIRCwXhmj3TQn
Jn2euqylHRubEQP/aL53NZK0kBdvrKgff6O8Of6tqoss8Dkk55I7QVFSp+My1Dn+
mngQKFejTAgtyo/WmR3wPjQ9HoT2lRiYI2lTRYT4uMdHuwVC3b4DqAKmoy375FER
wHkrMVyKBJslv8QtbAWw5A1CAUseaHo+91wmYJ4/4p6YUahqbG/tZyhbxfq0KFN1
U0UgUGFja2FnZSBTaWduaW5nIEtleSA8YnVpbGRAc3VzZS5kZT6IXAQTEQIAHAUC
Oe70gQUJA8JnAAQLCgMEAxUDAgMWAgECF4AACgkQqE7a6JyACspfLACffAYA+NM8
NBhyRyH+nTX58CNjwLIAoIx9fj52BJe0xY7WbKoXs1+72b2AiEYEEBECAAYFAjpw
XlIACgkQnkDjEAAKq6TczgCgi+ddhWb7+FWcfeE6WwPZccqAHowAnjjtRyGwHLQH
r5OTFAYTXi2Wv6jNiQEVAwUQOnBgb3ey5gA9JdPZAQE1pwf/QJ+b34lFBNVUJ7fk
/xGJJREt7V12iSafaRzGuH8xWvIz1bb+VARxnnt16FDQ1cDNjoEhCEmcW83Vxp6i
JXE9PE8wVA/Yue/bon5JS7J69+UiQ2eq2pudfwljp52lYVM53jgPYEz0q/v3091n
lZ8CYkAkN9JDS1lV1gEzJ7J0+POngDpU+lDQT2EC6VKaxeWK8pNt6UFDwICRDQxK
nlOoiDvTrdWT7QdJZ4sPv8Qotdw9+tKNbWQ2DqdIRxyTdw9xDfAtcj6mXeQr7852
Lwem1gSKVnEYHZ9g1FTJqVOutY8KhpUc9RfOCRv8XuIxrs4KSbfSF0s8qIRCQelx
ufg9AbkCDQQ57vSSEAgAhJHQTejMX+Vr6g1pHDEcusJ63fQ2CfFFE5iE9okH9O7U
VCiSfb9CV38dmeHdPCEEjDUWquFYEnvj3WICMtH249t1Ymuf4Du3yRKQ9oXdn/qT
Jzlrx9qzjiG3mH7ocwHOgUIwCrZoEdBEVE2n0zPVm+hddwjWWTWXw6pxQz+i9dsN
89xexRV5M9O0bNwCLaNWX2GXeLAkqTK/9EuZy6x2yLxi6du9YYUAXkZpqBhCjtiU
XpRoFCdglMznbcAyCk9C2wqb2j/D1Z2BeSBaGCSFkR6pRLebnE17LWcu72Iy+r0z
+JecbPiyDpDZj4apn7IC81aNFGi7fNITsHODbwwjiwADBgf/YPvVdzkc8OC7ztac
EWCanwylKvxCdKzTDA+DfES6WUYShyiVJvZzRy25LJ5WcK20kzOS6Qv1OrIXiz/p
dGy1aKtJZrAnFEsofpmOj8VoqyyFgp/yAGQBp12+mXek7SCZRhuqalDfEMRiWEJ6
J5dLkyShyRDWyPbFh0HXE7QTHN+IKKxxQqNQXL6Z3NSxS61p+5n6BseiDUI39xxk
KTFwFrkgUIc5Gs2Or2lhaWvGwSfoCmwbsklszZt6xbU+R0SjFqTvjPWx6eHfqbmN
C9WMDdTjGrXDDKXFp2aYlokfN6It9vsbVlGNlOwHt/JjGoPMxW6Xqj0FLA7/Vewg
CdXW64hMBBgRAgAMBQI57vSSBQkDwmcAAAoJEKhO2uicgArKSyIAmwUHf/vtKQfc
mVg4asR7U6XQl0bAAJ4pO22B5U8UH6IYl2LBCXFqw5+5fA==
=rVRn
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBPA/bG3ey5gA9JdPZAQHnwAf/UHDibA3CmfvsAtnzeQ3YaEf7tgOMtvz0
wr9gMZlU+L96Trhv9iAeUEenYc2KTe8ye4SvLHxKlQ3IotmFjhoehLzYM/tynhM8
0nCsnK7vuQNmJnbyE8shWvmAcAv4klJW1g/hV73EhjO/YJe4nx7H+cF3M1hzhGwv
d4t9Y8SjHBrvSt9nuq/yFsta4dKy5il30jPtd379O3TcjJP4cBC30o3wKt11f9ld
GYSURp31kQT13VJxw75GxCkv3b0PpxepT1HUQmqGCGx1xxGV/XYKCbwCnwjHi4zC
n52B6gHc0wilYdLrQdHb0uZwVn4fcxHirbdpwVyWTrBgPkLE3aHVhg==
=tcBY
-----END PGP SIGNATURE-----
Category:
Author: JT Smith
IBM’s decision to Open-Source a $40 million software tools development platform code-named Eclipse is starting to gather momentum, with IBM and a handful of partners launching an Open Source project at Eclipse.org.
Along with seven other tech companies — including Red Hat, SuSE and Borland — IBM launched Eclipse.org late last week, and IBM officials are already excited by the response they’ve received about the release of the Eclipse platform in early November.
According to IBM, the software was averaging 4,000 downloads daily in the first month of its release. “We’re blown away by the response of the community so far,” says Scott Handy, director of worldwide Linux solutions marketing for IBM.
Also, this week, IBM announced it is shipping its first tool for Linux based on the Eclipse platform, which Handy compares to a “work bench.” The first tool for that work bench is the beta version of WebSphere Studio Application Developer for Linux (a Windows version is already available). According to a press release from IBM, its WebSphere Studio tools are the first commercially available tools built on Eclipse. IBM plans to release a Linux version of WebSphere Studio Site Developer in the first quarter of 2002.
Handy explains the Eclipse platform like this: “This is actual technology that [developers] can reuse and port their tools on top of — so Eclipse is a work bench — as a plugin. Tools will become plugins to this technology, and can reuse a lot of code in the underlying framework.”
Handy predicts the release of Eclipse as an Open Source platform will have far-reaching effects on the programming tools industry. “It really does two things to the industry,” he says. “One is because of the re-use, a lot of the tools will be able to, in a much simpler fashion, work together. They will all use the same underlying way to communicate with each other … and we can all talk, because we’re all talking the exact same language.”
Handy predicts third-party companies will find it easier to pitch their tools to developers. “A whole ‘nother industry that it really opens up is the ability for especially a small shop, or a small developer, to just create a little plugin that adds value to somebody else’s tool. They can take their extreme value-add of knowing an industry or a segment really well and create a plugin that will work with our tools, or Borland’s tools, or both.”
Handy says the creation of Eclipse.org, and its governing board made up of the eight founding companies, was an important step in getting the project moving. He says IBM is glad to have some of its competitors in the tools market on the board.
“We really wanted to level the playing field in the tools market, and allow everybody to participate,” Handy says. “Some would even consider some of these companies our competitors in the tools space, and they are, but we want to cooperate in industry initiatives.”
The board will give some structure to the Open Source project, he adds. “The board gets to vote on the direction of the technology. Now, we’ve let go. This is no longer an IBM technology, it’s an Open Source technology.”
Simon Thornhill, Borland’s vice president and general manager of rapid application development solutions, says the Eclipse.org project helps companies like his work with others to establish standards for Open Source development tools.
“Borland is strongly committed to supporting Open Source development,” Thornhill says. “As we continue to develop, enhance, and freely distribute the Borland FreeCLX Open Source Framework for Linux, we plan to support Open Source tool efforts such as
Eclipse that are complimentary to the framework and our shared goals of open
source development.”
While the original board is made up of eight companies, Handy says he expects that the Eclipse.org project won’t continue to be dominated only by corporate interests; he’s expecting that smaller companies and individual developers will get involved and drive the direction of the project as well. The makeup of the board can change, he says, and he hopes Eclipse will look something like the Linux project, with both companies and independent developers contributing.
“Good ideas go a long way,” he says. “What usually happens is … a few developers who really understand the technology and have the best ideas will bubble to the top. Getting to that top contributor spot is earned, it’s not a right.”