Secunia - Stay Secure
Gartner
Home Corporate Website Jobs Updated Mailing Lists RSS Blog  Online Shop Advertise
Software Inspectors
  Scan Online
  Personal (PSI)
  Network (NSI 2.0)

Solutions For
  Security Professionals
  Security Vendors

Free Solutions For
  Open Communities
  Journalists & Media

Secunia Advisories
  Search
  Historic Advisories
  Listed By Product
  Listed By Vendor
  Statistics / Graphs
  Secunia Research
  Report Vulnerability
  About Advisories

Virus Information
  Chronological List
  Last 10 Virus Alerts
  About Virus Information

Secunia Customers
  Customer Area


Debian update for openssh Advisory Available in German 

Secunia Advisory: SA30249  
Release Date: 2008-05-14
Last Update: 2008-05-19

Critical:
Moderately critical
Impact: Security Bypass
Exposure of sensitive information
Where: From remote
Solution Status: Vendor Patch

OS:Debian GNU/Linux 4.0
Debian GNU/Linux unstable alias sid


CVE reference:CVE-2007-4752 (Secunia mirror)
CVE-2008-0166 (Secunia mirror)
CVE-2008-1483 (Secunia mirror)
Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
Debian has issued an update for openssh. This fixes a vulnerability, which can be exploited by malicious, local users to disclose potentially sensitive information and a security issue, which can lead to weak cryptographic key material.

For more information:
SA29522
SA30220

Solution:
Apply updated packages and recreate all cryptographic key material (see vendor advisory for more information).

-- Debian GNU/Linux 4.0 alias etch --

Source archives:

http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2-9etch2.dsc
Size/MD5 checksum: 1010 7bcad5f65ff1722db7c431d3a25e8578
http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2.orig.tar.gz
Size/MD5 checksum: 920186 239fc801443acaffd4c1f111948ee69c
http://security.debian.org/pool/updat.../openssh/openssh_4.3p2-9etch2.diff.gz
Size/MD5 checksum: 276621 27984546be5ba87687ae6e7e5df36578

Architecture independent packages:

http://security.debian.org/pool/updat...openssh/ssh-krb5_4.3p2-9etch2_all.deb
Size/MD5 checksum: 92022 1cd59a62eb401f21421f13a6caf3d509
http://security.debian.org/pool/updates/main/o/openssh/ssh_4.3p2-9etch2_all.deb
Size/MD5 checksum: 1052 b096153814cc8949820d9958f8b81a00

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updat...-askpass-gnome_4.3p2-9etch2_alpha.deb
Size/MD5 checksum: 100498 2fa04ed9e0ee9625f28964938cc19b64
http://security.debian.org/pool/updat...openssh-client_4.3p2-9etch2_alpha.deb
Size/MD5 checksum: 782726 0c48b38fc56cdaedb3d4a1eab9ecd25d
http://security.debian.org/pool/updat...h-server-udeb_4.3p2-9etch2_alpha.udeb
Size/MD5 checksum: 213728 ff4b07cb720fb26210c3a49213737168
http://security.debian.org/pool/updat...openssh-server_4.3p2-9etch2_alpha.deb
Size/MD5 checksum: 266510 113583573c885f7baa40b9a78933c6aa
http://security.debian.org/pool/updat...h-client-udeb_4.3p2-9etch2_alpha.udeb
Size/MD5 checksum: 198498 6dd01cb3b4fe5cf3726142f429281187

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updat...-askpass-gnome_4.3p2-9etch2_amd64.deb
Size/MD5 checksum: 100106 b4dc14aee0a9c94d96e3b392a2dd61e8
http://security.debian.org/pool/updat...openssh-client_4.3p2-9etch2_amd64.deb
Size/MD5 checksum: 711910 dc68b26b2810e7f47e3fa419c262bc07
http://security.debian.org/pool/updat...openssh-server_4.3p2-9etch2_amd64.deb
Size/MD5 checksum: 245522 b02dc226eb5aae330b08429a17f0eef6
http://security.debian.org/pool/updat...h-server-udeb_4.3p2-9etch2_amd64.udeb
Size/MD5 checksum: 183854 fa96f8d05d380a6053672de0a6bd30c1
http://security.debian.org/pool/updat...h-client-udeb_4.3p2-9etch2_amd64.udeb
Size/MD5 checksum: 171334 b2eafdc135649523828db8416f22617d

arm architecture (ARM)

http://security.debian.org/pool/updat...h/openssh-server_4.3p2-9etch2_arm.deb
Size/MD5 checksum: 218980 6065fa1195e74549c7dd66fbe2b41718
http://security.debian.org/pool/updat...sh-askpass-gnome_4.3p2-9etch2_arm.deb
Size/MD5 checksum: 99668 c6260735e7d50c21e19d01702b4e45bb
http://security.debian.org/pool/updat...h/openssh-client_4.3p2-9etch2_arm.deb
Size/MD5 checksum: 650608 42d8f87667ffd3fdccb26ec5c8d775ac
http://security.debian.org/pool/updat...ssh-server-udeb_4.3p2-9etch2_arm.udeb
Size/MD5 checksum: 171666 4bc55e6d06de4f0bda2771ad78770d27
http://security.debian.org/pool/updat...ssh-client-udeb_4.3p2-9etch2_arm.udeb
Size/MD5 checksum: 164870 f82b52267f503acfdf3f7ad1b40b0555

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updat...sh-client-udeb_4.3p2-9etch2_hppa.udeb
Size/MD5 checksum: 189624 351333a1ca9d92e389b0197ec2cca869
http://security.debian.org/pool/updat.../openssh-client_4.3p2-9etch2_hppa.deb
Size/MD5 checksum: 733002 47e84be664670a3ad083d2a3f90c3124
http://security.debian.org/pool/updat...h-askpass-gnome_4.3p2-9etch2_hppa.deb
Size/MD5 checksum: 100460 335b7aed705d4b8a1b9f96a5f6f9ec37
http://security.debian.org/pool/updat...sh-server-udeb_4.3p2-9etch2_hppa.udeb
Size/MD5 checksum: 198168 ec7f163eb74e84d4a8605e54715acc6a
http://security.debian.org/pool/updat.../openssh-server_4.3p2-9etch2_hppa.deb
Size/MD5 checksum: 249924 7ead727d52913c1ff8630e383f6ea48c

i386 architecture (Intel ia32)

http://security.debian.org/pool/updat.../openssh-server_4.3p2-9etch2_i386.deb
Size/MD5 checksum: 223706 68ed0ebd125d47d1406095a818fac0f8
http://security.debian.org/pool/updat...sh-server-udeb_4.3p2-9etch2_i386.udeb
Size/MD5 checksum: 162630 a032adc78b967a09180c480143022e93
http://security.debian.org/pool/updat...h-askpass-gnome_4.3p2-9etch2_i386.deb
Size/MD5 checksum: 99688 949ba4673d2a74126a485098f29a6a96
http://security.debian.org/pool/updat.../openssh-client_4.3p2-9etch2_i386.deb
Size/MD5 checksum: 659896 b15d0dd5cc67362833a2c7853bdff958
http://security.debian.org/pool/updat...sh-client-udeb_4.3p2-9etch2_i386.udeb
Size/MD5 checksum: 154018 4af4893e4eb970c8b005bfee3a1896d5

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updat...sh-client-udeb_4.3p2-9etch2_ia64.udeb
Size/MD5 checksum: 251842 ea30a3806bf73fa5df7c01b291b25660
http://security.debian.org/pool/updat...h-askpass-gnome_4.3p2-9etch2_ia64.deb
Size/MD5 checksum: 101364 33209d8caa1a18569e5fdc2c954b0ad9
http://security.debian.org/pool/updat.../openssh-server_4.3p2-9etch2_ia64.deb
Size/MD5 checksum: 338254 53fecec5c1b02b797e9caa24fa40590e
http://security.debian.org/pool/updat...sh-server-udeb_4.3p2-9etch2_ia64.udeb
Size/MD5 checksum: 269868 c1e98de9b285610d6a2e98ed3875cf0b
http://security.debian.org/pool/updat.../openssh-client_4.3p2-9etch2_ia64.deb
Size/MD5 checksum: 962006 ddc1e2a9de43a804c04b74839b2f3c1a

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updat...-client-udeb_4.3p2-9etch2_mipsel.udeb
Size/MD5 checksum: 192330 c58ce9d9bd8b904ead41b41fd0190d04
http://security.debian.org/pool/updat...penssh-server_4.3p2-9etch2_mipsel.deb
Size/MD5 checksum: 251464 dbc9acc8341bfaf9301e4429b20aa579
http://security.debian.org/pool/updat...-server-udeb_4.3p2-9etch2_mipsel.udeb
Size/MD5 checksum: 201534 11ae7501d65bed1bcd555a31633112a6
http://security.debian.org/pool/updat...askpass-gnome_4.3p2-9etch2_mipsel.deb
Size/MD5 checksum: 99856 0ff3c4ff0b5c891a0772b1e4522252d5
http://security.debian.org/pool/updat...penssh-client_4.3p2-9etch2_mipsel.deb
Size/MD5 checksum: 735142 8913d6adc4df4b33bf8c60f304bc50b1

powerpc architecture (PowerPC)

http://security.debian.org/pool/updat...client-udeb_4.3p2-9etch2_powerpc.udeb
Size/MD5 checksum: 168316 eda08e79a293c684c9371b16ebb6d872
http://security.debian.org/pool/updat...skpass-gnome_4.3p2-9etch2_powerpc.deb
Size/MD5 checksum: 101170 2df82e0bee254e7f3157965c44a1116b
http://security.debian.org/pool/updat...enssh-client_4.3p2-9etch2_powerpc.deb
Size/MD5 checksum: 700848 167dafdb5c2131fa879934d671bcd0a8
http://security.debian.org/pool/updat...server-udeb_4.3p2-9etch2_powerpc.udeb
Size/MD5 checksum: 173326 341ece3621bf9a865db8a51d6edce165
http://security.debian.org/pool/updat...enssh-server_4.3p2-9etch2_powerpc.deb
Size/MD5 checksum: 237034 c4d121d9e6f7305a96f1ff4bd0cc62cf

s390 architecture (IBM S/390)

http://security.debian.org/pool/updat...sh-client-udeb_4.3p2-9etch2_s390.udeb
Size/MD5 checksum: 188518 994524412f881158e5d3c2f8a9d6398a
http://security.debian.org/pool/updat...sh-server-udeb_4.3p2-9etch2_s390.udeb
Size/MD5 checksum: 196906 ae0a4c8c4056aa4416ba9f74d3e78e5e
http://security.debian.org/pool/updat.../openssh-client_4.3p2-9etch2_s390.deb
Size/MD5 checksum: 725718 97047ff8dc9d0d42e59fcc04553861f6
http://security.debian.org/pool/updat...h-askpass-gnome_4.3p2-9etch2_s390.deb
Size/MD5 checksum: 100148 b0fc6b7f3af34bbbb9cdae41ecb244a6
http://security.debian.org/pool/updat.../openssh-server_4.3p2-9etch2_s390.deb
Size/MD5 checksum: 246770 3dc23f0937021e333a4b0be608df07c3

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updat...h-server-udeb_4.3p2-9etch2_sparc.udeb
Size/MD5 checksum: 166704 b39759f84a47b5876fc6fa1d0cd15b83
http://security.debian.org/pool/updat...openssh-client_4.3p2-9etch2_sparc.deb
Size/MD5 checksum: 640390 179203ca93933eaa8533b9d5b92bd018
http://security.debian.org/pool/updat...-askpass-gnome_4.3p2-9etch2_sparc.deb
Size/MD5 checksum: 99644 3c7bed91286b1d9480a1453e7672242a
http://security.debian.org/pool/updat...h-client-udeb_4.3p2-9etch2_sparc.udeb
Size/MD5 checksum: 158358 5850cbde916ceb8eed29a0c52e2c799c
http://security.debian.org/pool/updat...openssh-server_4.3p2-9etch2_sparc.deb
Size/MD5 checksum: 218146 15608f46ef44bcd8f3244dd7fe58de52

-- Debian GNU/Linux unstable alias sid --

Fixed in version 4.7p1-9.

Changelog:
2008-05-19: Updated "Solution" with new package information. The ssh-vulnkey tool introduced in openssh 1:4.3p2-9etch1 contains an error, leading to some compromised keys not being listed in ssh-vulnkey's output. Updated "Original Advisory" section.

Original Advisory:
http://lists.debian.org/debian-security-announce/2008/msg00153.html
http://lists.debian.org/debian-security-announce/2008/msg00155.html

Other References:
SA29522:
http://secunia.com/advisories/29522/

SA30220:
http://secunia.com/advisories/30220/


Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

1191 Related Secunia Security Advisories, displaying 10

1. Debian update for pcre3
2. Debian update for wordpress
3. Debian update for sympa
4. Debian update for dbus
5. Debian update for libtk-img
6. Debian update for imlib2
7. Debian update for xorg-server
8. Debian update for mt-daapd
9. Debian update for typo3
10. Debian update for xorg-server

Show all related advisories


Send Feedback to Secunia

If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.

Ideas, suggestions, and other feedback are most welcome.








Secunia PSI
Scan | Patch | Track
Free Download

Secunia Poll

Do you think it's important to read Setup/User Guides for applications for use within your network?


See Results   


Most Popular Advisories

1.
Microsoft Windows DNS Spoofing Vulnerabilities
2.
Microsoft Access Snapshot Viewer ActiveX Control Vulnerability
3.
Microsoft Windows Explorer Saved Search Vulnerability
4.
ArticleBeach Script "page" File Inclusion Vulnerability
5.
Joomla Unauthorized Access Vulnerabilities
6.
Microsoft SQL Server and MSDE Multiple Vulnerabilities
7.
Microsoft Outlook Web Access Script Insertion Vulnerabilities
8.
Mozilla Firefox Multiple Vulnerabilities
9.
Symantec Brightmail AntiSpam Notifier Denial of Service
10.
Joomla Brightcode Weblinks Component "catid" SQL Injection





Vulnerability Management - Terms & Conditions - Copyright 2002-2008 Secunia - Compliance - Contact Secunia