-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

		Caldera International, Inc.  Security Advisory

Subject:		Linux: REVISED: OpenSSH ticket and token passing buffer overflow
Advisory number: 	CSSA-2002-022.2
Issue date: 		2002 May 31
Cross reference:
______________________________________________________________________________


1. Problem Description

	A buffer overflow exists in OpenSSH if KerberosTgtPassing or
	AFSTokenPassing has been enabled in the sshd_config file. A
	malicious user, possibly remote, could use this vulnerability
	to gain privileged access to the system.

	The previous several updates of openSSH have had erroneous
	version numbers. We have decided to release the latest version
	of openSSH (3.2.3), instead of trying to bring the current
	version (2.9.9) up to date.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to openssh-3.2.3p1-2.i386.rpm
					prior to openssh-askpass-3.2.3p1-2.i386.rpm
					prior to openssh-server-3.2.3p1-2.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to openssh-3.2.3p1-2.i386.rpm
					prior to openssh-askpass-3.2.3p1-2.i386.rpm
					prior to openssh-server-3.2.3p1-2.i386.rpm

	OpenLinux 3.1 Server		prior to openssh-3.2.3p1-2.i386.rpm
					prior to openssh-askpass-3.2.3p1-2.i386.rpm
					prior to openssh-server-3.2.3p1-2.i386.rpm

	OpenLinux 3.1 Workstation	prior to openssh-3.2.3p1-2.i386.rpm
					prior to openssh-askpass-3.2.3p1-2.i386.rpm
					prior to openssh-server-3.2.3p1-2.i386.rpm


3. Solution

	The proper solution is to install the latest packages.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

	4.2 Packages

	8b0a12d11ab1aae416b447150417e215	openssh-3.2.3p1-2.i386.rpm
	bebfc9ceb41069ceb7fa465417a11545	openssh-askpass-3.2.3p1-2.i386.rpm
	2e45900b925a2d6735e804141c219947	openssh-server-3.2.3p1-2.i386.rpm

	4.3 Installation

	rpm -Fvh openssh-3.2.3p1-2.i386.rpm
	rpm -Fvh openssh-askpass-3.2.3p1-2.i386.rpm
	rpm -Fvh openssh-server-3.2.3p1-2.i386.rpm

	4.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

	4.5 Source Packages

	a2b90c09e76d3d025c67fa7d3f5416d3	openssh-3.2.3p1-2.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

	5.2 Packages

	73daca03946a1ded2f70e033f30002fe	openssh-3.2.3p1-2.i386.rpm
	0c47a7427efa307fc671608a02965e26	openssh-askpass-3.2.3p1-2.i386.rpm
	1fbbc843259150088a1351ff03762c46	openssh-server-3.2.3p1-2.i386.rpm

	5.3 Installation

	rpm -Fvh openssh-3.2.3p1-2.i386.rpm
	rpm -Fvh openssh-askpass-3.2.3p1-2.i386.rpm
	rpm -Fvh openssh-server-3.2.3p1-2.i386.rpm

	5.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

	5.5 Source Packages

	5d2283d5260e898d78aae2efdf4eeca9	openssh-3.2.3p1-2.src.rpm


6. OpenLinux 3.1 Server

	6.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

	6.2 Packages

	576beaa523b0e752c1756b6283bd9b70	openssh-3.2.3p1-2.i386.rpm
	a0b034c8235a0f46d3878d7f68b35335	openssh-askpass-3.2.3p1-2.i386.rpm
	ae46ce85ea292e6100e848937ac615b3	openssh-server-3.2.3p1-2.i386.rpm

	6.3 Installation

	rpm -Fvh openssh-3.2.3p1-2.i386.rpm
	rpm -Fvh openssh-askpass-3.2.3p1-2.i386.rpm
	rpm -Fvh openssh-server-3.2.3p1-2.i386.rpm

	6.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

	6.5 Source Packages

	f430558567f4bfca1560d29befcc0322	openssh-3.2.3p1-2.src.rpm


7. OpenLinux 3.1 Workstation

	7.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

	7.2 Packages

	4c9d35ddca2023187e418bffae70fce1	openssh-3.2.3p1-2.i386.rpm
	3103ee17d286b2c85d2f93376ebad965	openssh-askpass-3.2.3p1-2.i386.rpm
	4a0926190f4818e908c22abed8268e9a	openssh-server-3.2.3p1-2.i386.rpm

	7.3 Installation

	rpm -Fvh openssh-3.2.3p1-2.i386.rpm
	rpm -Fvh openssh-askpass-3.2.3p1-2.i386.rpm
	rpm -Fvh openssh-server-3.2.3p1-2.i386.rpm

	7.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

	7.5 Source Packages

	6f22760d5fc6dfa2227772e0f51ffc9e	openssh-3.2.3p1-2.src.rpm


8. References

	Specific references for this advisory:
		none

	Caldera OpenLinux security resources:
		http://www.caldera.com/support/security/index.html

	Caldera UNIX security resources:
		http://stage.caldera.com/support/security/

	This security fix closes Caldera incidents sr863642, fz520794
	and erg712034.


9. Disclaimer

	Caldera International, Inc. is not responsible for the misuse
	of any of the information we provide on this website and/or
	through our security advisories. Our advisories are a service
	to our customers intended to promote secure installation and
	use of Caldera products.


10. Acknowledgements

	Marcell Fodor discovered and researched this vulnerability.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjz4EQoACgkQbluZssSXDTHJfQCePLcf8omE/l8kBOyvu6N/mLcg
EVgAoNsqKBni4LHT91SAalXPwQuBIjbm
=W83X
-----END PGP SIGNATURE-----