FreeBSD Security Advisories
2003-Sep-16 11:17 UTC
FreeBSD Security Advisory FreeBSD-SA-03:12.openssh
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
============================================================================FreeBSD-SA-03:12
Security Advisory
FreeBSD, Inc.
Topic: OpenSSH buffer management error
Category: core, ports
Module: openssh, ports_openssh, openssh-portable
Announced: 2003-09-16
Credits: The OpenSSH Project <openssh@openssh.org>
Affects: All FreeBSD releases after 4.0-RELEASE
FreeBSD 4-STABLE prior to the correction date
openssh port prior to openssh-3.6.1_1
openssh-portable port prior to openssh-portable-3.6.1p2_1
Corrected: 2003-09-16 16:24:02 UTC (RELENG_4)
2003-09-16 16:27:57 UTC (RELENG_5_1)
2003-09-16 17:34:32 UTC (RELENG_5_0)
2003-09-16 16:24:02 UTC (RELENG_4_8)
2003-09-16 16:45:16 UTC (RELENG_4_7)
2003-09-16 17:44:15 UTC (RELENG_4_6)
2003-09-16 17:45:23 UTC (RELENG_4_5)
2003-09-16 17:46:02 UTC (RELENG_4_4)
2003-09-16 17:46:37 UTC (RELENG_4_3)
2003-09-16 12:43:09 UTC (ports/security/openssh)
2003-09-16 12:43:10 UTC (ports/security/openssh-portable)
CVE: CAN-2003-0693
FreeBSD only: NO
I. Background
OpenSSH is a free version of the SSH protocol suite of network
connectivity tools. OpenSSH encrypts all traffic (including
passwords) to effectively eliminate eavesdropping, connection
hijacking, and other network-level attacks. Additionally, OpenSSH
provides a myriad of secure tunneling capabilities, as well as a
variety of authentication methods. `ssh' is the client application,
while `sshd' is the server.
II. Problem Description
When a packet is received that is larger than the space remaining in
the currently allocated buffer, OpenSSH's buffer management attempts
to reallocate a larger buffer. During this process, the recorded size
of the buffer is increased. The new size is then range checked. If
the range check fails, then fatal() is called to cleanup and exit.
In some cases, the cleanup code will attempt to zero and free the
buffer that just had its recorded size (but not actual allocation)
increased. As a result, memory outside of the allocated buffer will
be overwritten with NUL bytes.
III. Impact
A remote attacker can cause OpenSSH to crash. The bug is not believed
to be exploitable for code execution on FreeBSD.
IV. Workaround
Do one of the following:
1) Disable the base system sshd by executing the following command as
root:
# kill `cat /var/run/sshd.pid`
Be sure that sshd is not restarted when the system is restarted
by adding the following line to the end of /etc/rc.conf:
sshd_enable="NO"
AND
Deinstall the openssh or openssh-portable ports if you have one of
them installed.
V. Solution
Do one of the following:
[For OpenSSH included in the base system]
1) Upgrade your vulnerable system to 4-STABLE or to the RELENG_5_1,
RELENG_4_8, or RELENG_4_7 security branch dated after
the correction date (5.1-RELEASE-p3, 4.8-RELEASE-p5, or
4.7-RELEASE-p15, respectively).
2) FreeBSD systems prior to the correction date:
The following patches have been verified to apply to FreeBSD 4.x and
FreeBSD 5.x systems prior to the correction date.
Download the appropriate patch and detached PGP signature from the following
locations, and verify the signature using your PGP utility.
[FreeBSD 4.3 through 4.5]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch.asc
[FreeBSD 4.6 and later, FreeBSD 5.0 and later]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch.asc
Execute the following commands as root:
# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/lib/libssh
# make depend && make all install
# cd /usr/src/secure/usr.sbin/sshd
# make depend && make all install
# cd /usr/src/secure/usr.bin/ssh
# make depend && make all install
Be sure to restart `sshd' after updating.
# kill `cat /var/run/sshd.pid`
# (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags})
[For the OpenSSH ports]
One of the following:
1) Upgrade your entire ports collection and rebuild the OpenSSH port.
2) Deinstall the old package and install a new package obtained from
the following directory:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/
[other platforms]
Packages are not automatically generated for other platforms at this
time due to lack of build resources.
3) Download a new port skeleton for the openssh or openssh-portable
port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz
Be sure to restart `sshd' after updating.
# kill `cat /var/run/sshd.pid`
# test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh
start
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in the FreeBSD base system and ports collection.
Branch Revision
Path
- -------------------------------------------------------------------------
[Base system]
RELENG_4
src/crypto/openssh/buffer.c 1.1.1.1.2.5
src/crypto/openssh/version.h 1.1.1.1.2.11
RELENG_5_1
src/UPDATING 1.251.2.4
src/crypto/openssh/buffer.c 1.1.1.6.4.1
src/crypto/openssh/version.h 1.20.2.1
src/sys/conf/newvers.sh 1.50.2.5
RELENG_5_0
src/UPDATING 1.229.2.18
src/crypto/openssh/buffer.c 1.1.1.6.2.1
src/crypto/openssh/version.h 1.18.2.1
src/sys/conf/newvers.sh 1.48.2.13
RELENG_4_8
src/UPDATING 1.73.2.80.2.7
src/crypto/openssh/buffer.c 1.1.1.1.2.4.4.1
src/crypto/openssh/version.h 1.1.1.1.2.10.2.1
src/sys/conf/newvers.sh 1.44.2.29.2.6
RELENG_4_7
src/UPDATING 1.73.2.74.2.18
src/crypto/openssh/buffer.c 1.1.1.1.2.4.2.1
src/crypto/openssh/version.h 1.1.1.1.2.9.2.1
src/sys/conf/newvers.sh 1.44.2.26.2.17
RELENG_4_6
src/UPDATING 1.73.2.68.2.46
src/crypto/openssh/buffer.c 1.1.1.1.2.3.4.2
src/crypto/openssh/version.h 1.1.1.1.2.8.2.2
src/sys/conf/newvers.sh 1.44.2.23.2.35
RELENG_4_5
src/UPDATING 1.73.2.50.2.47
src/crypto/openssh/buffer.c 1.1.1.1.2.3.2.1
src/crypto/openssh/version.h 1.1.1.1.2.7.2.2
src/sys/conf/newvers.sh 1.44.2.20.2.31
RELENG_4_4
src/UPDATING 1.73.2.43.2.48
src/crypto/openssh/buffer.c 1.1.1.1.2.2.4.1
src/crypto/openssh/version.h 1.1.1.1.2.5.2.3
src/sys/conf/newvers.sh 1.44.2.17.2.39
RELENG_4_3
src/UPDATING 1.73.2.28.2.35
src/crypto/openssh/buffer.c 1.1.1.1.2.2.2.1
src/crypto/openssh/version.h 1.1.1.1.2.4.2.3
src/sys/conf/newvers.sh 1.44.2.14.2.25
[Ports]
ports/security/openssh-portable/Makefile 1.73
ports/security/openssh-portable/files/patch-buffer.c 1.1
ports/security/openssh/Makefile 1.120
ports/security/openssh/files/patch-buffer.c 1.1
- -------------------------------------------------------------------------
Branch Version string
- -------------------------------------------------------------------------
HEAD OpenSSH_3.6.1p1 FreeBSD-20030916
RELENG_4 OpenSSH_3.5p1 FreeBSD-20030916
RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030916
RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030916
RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030916
RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030916
RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20030916
RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20030916
RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20030916
- -------------------------------------------------------------------------
To view the version string of the OpenSSH server, execute the
following command:
% /usr/sbin/sshd -\?
The version string is also displayed when a client connects to the
server.
To view the version string of the OpenSSH client, execute the
following command:
% /usr/bin/ssh -V
VII. References
<URL:http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html>
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0693 to this issue.
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQE/Z1MtFdaIBMps37IRApcyAKCIjophc4e8UGhAlTTiNCunVJSlfgCffMgQ
PW0VvEnS7MMUYyekHuz49ro=vcm1
-----END PGP SIGNATURE-----
FreeBSD Security Advisories
2003-Sep-16 11:17 UTC
FreeBSD Security Advisory FreeBSD-SA-03:12.openssh
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
============================================================================FreeBSD-SA-03:12
Security Advisory
FreeBSD, Inc.
Topic: OpenSSH buffer management error
Category: core, ports
Module: openssh, ports_openssh, openssh-portable
Announced: 2003-09-16
Credits: The OpenSSH Project <openssh@openssh.org>
Affects: All FreeBSD releases after 4.0-RELEASE
FreeBSD 4-STABLE prior to the correction date
openssh port prior to openssh-3.6.1_1
openssh-portable port prior to openssh-portable-3.6.1p2_1
Corrected: 2003-09-16 16:24:02 UTC (RELENG_4)
2003-09-16 16:27:57 UTC (RELENG_5_1)
2003-09-16 17:34:32 UTC (RELENG_5_0)
2003-09-16 16:24:02 UTC (RELENG_4_8)
2003-09-16 16:45:16 UTC (RELENG_4_7)
2003-09-16 17:44:15 UTC (RELENG_4_6)
2003-09-16 17:45:23 UTC (RELENG_4_5)
2003-09-16 17:46:02 UTC (RELENG_4_4)
2003-09-16 17:46:37 UTC (RELENG_4_3)
2003-09-16 12:43:09 UTC (ports/security/openssh)
2003-09-16 12:43:10 UTC (ports/security/openssh-portable)
CVE: CAN-2003-0693
FreeBSD only: NO
I. Background
OpenSSH is a free version of the SSH protocol suite of network
connectivity tools. OpenSSH encrypts all traffic (including
passwords) to effectively eliminate eavesdropping, connection
hijacking, and other network-level attacks. Additionally, OpenSSH
provides a myriad of secure tunneling capabilities, as well as a
variety of authentication methods. `ssh' is the client application,
while `sshd' is the server.
II. Problem Description
When a packet is received that is larger than the space remaining in
the currently allocated buffer, OpenSSH's buffer management attempts
to reallocate a larger buffer. During this process, the recorded size
of the buffer is increased. The new size is then range checked. If
the range check fails, then fatal() is called to cleanup and exit.
In some cases, the cleanup code will attempt to zero and free the
buffer that just had its recorded size (but not actual allocation)
increased. As a result, memory outside of the allocated buffer will
be overwritten with NUL bytes.
III. Impact
A remote attacker can cause OpenSSH to crash. The bug is not believed
to be exploitable for code execution on FreeBSD.
IV. Workaround
Do one of the following:
1) Disable the base system sshd by executing the following command as
root:
# kill `cat /var/run/sshd.pid`
Be sure that sshd is not restarted when the system is restarted
by adding the following line to the end of /etc/rc.conf:
sshd_enable="NO"
AND
Deinstall the openssh or openssh-portable ports if you have one of
them installed.
V. Solution
Do one of the following:
[For OpenSSH included in the base system]
1) Upgrade your vulnerable system to 4-STABLE or to the RELENG_5_1,
RELENG_4_8, or RELENG_4_7 security branch dated after
the correction date (5.1-RELEASE-p3, 4.8-RELEASE-p5, or
4.7-RELEASE-p15, respectively).
2) FreeBSD systems prior to the correction date:
The following patches have been verified to apply to FreeBSD 4.x and
FreeBSD 5.x systems prior to the correction date.
Download the appropriate patch and detached PGP signature from the following
locations, and verify the signature using your PGP utility.
[FreeBSD 4.3 through 4.5]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch.asc
[FreeBSD 4.6 and later, FreeBSD 5.0 and later]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch.asc
Execute the following commands as root:
# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/lib/libssh
# make depend && make all install
# cd /usr/src/secure/usr.sbin/sshd
# make depend && make all install
# cd /usr/src/secure/usr.bin/ssh
# make depend && make all install
Be sure to restart `sshd' after updating.
# kill `cat /var/run/sshd.pid`
# (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags})
[For the OpenSSH ports]
One of the following:
1) Upgrade your entire ports collection and rebuild the OpenSSH port.
2) Deinstall the old package and install a new package obtained from
the following directory:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/
[other platforms]
Packages are not automatically generated for other platforms at this
time due to lack of build resources.
3) Download a new port skeleton for the openssh or openssh-portable
port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz
Be sure to restart `sshd' after updating.
# kill `cat /var/run/sshd.pid`
# test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh
start
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in the FreeBSD base system and ports collection.
Branch Revision
Path
- -------------------------------------------------------------------------
[Base system]
RELENG_4
src/crypto/openssh/buffer.c 1.1.1.1.2.5
src/crypto/openssh/version.h 1.1.1.1.2.11
RELENG_5_1
src/UPDATING 1.251.2.4
src/crypto/openssh/buffer.c 1.1.1.6.4.1
src/crypto/openssh/version.h 1.20.2.1
src/sys/conf/newvers.sh 1.50.2.5
RELENG_5_0
src/UPDATING 1.229.2.18
src/crypto/openssh/buffer.c 1.1.1.6.2.1
src/crypto/openssh/version.h 1.18.2.1
src/sys/conf/newvers.sh 1.48.2.13
RELENG_4_8
src/UPDATING 1.73.2.80.2.7
src/crypto/openssh/buffer.c 1.1.1.1.2.4.4.1
src/crypto/openssh/version.h 1.1.1.1.2.10.2.1
src/sys/conf/newvers.sh 1.44.2.29.2.6
RELENG_4_7
src/UPDATING 1.73.2.74.2.18
src/crypto/openssh/buffer.c 1.1.1.1.2.4.2.1
src/crypto/openssh/version.h 1.1.1.1.2.9.2.1
src/sys/conf/newvers.sh 1.44.2.26.2.17
RELENG_4_6
src/UPDATING 1.73.2.68.2.46
src/crypto/openssh/buffer.c 1.1.1.1.2.3.4.2
src/crypto/openssh/version.h 1.1.1.1.2.8.2.2
src/sys/conf/newvers.sh 1.44.2.23.2.35
RELENG_4_5
src/UPDATING 1.73.2.50.2.47
src/crypto/openssh/buffer.c 1.1.1.1.2.3.2.1
src/crypto/openssh/version.h 1.1.1.1.2.7.2.2
src/sys/conf/newvers.sh 1.44.2.20.2.31
RELENG_4_4
src/UPDATING 1.73.2.43.2.48
src/crypto/openssh/buffer.c 1.1.1.1.2.2.4.1
src/crypto/openssh/version.h 1.1.1.1.2.5.2.3
src/sys/conf/newvers.sh 1.44.2.17.2.39
RELENG_4_3
src/UPDATING 1.73.2.28.2.35
src/crypto/openssh/buffer.c 1.1.1.1.2.2.2.1
src/crypto/openssh/version.h 1.1.1.1.2.4.2.3
src/sys/conf/newvers.sh 1.44.2.14.2.25
[Ports]
ports/security/openssh-portable/Makefile 1.73
ports/security/openssh-portable/files/patch-buffer.c 1.1
ports/security/openssh/Makefile 1.120
ports/security/openssh/files/patch-buffer.c 1.1
- -------------------------------------------------------------------------
Branch Version string
- -------------------------------------------------------------------------
HEAD OpenSSH_3.6.1p1 FreeBSD-20030916
RELENG_4 OpenSSH_3.5p1 FreeBSD-20030916
RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030916
RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030916
RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030916
RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030916
RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20030916
RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20030916
RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20030916
- -------------------------------------------------------------------------
To view the version string of the OpenSSH server, execute the
following command:
% /usr/sbin/sshd -\?
The version string is also displayed when a client connects to the
server.
To view the version string of the OpenSSH client, execute the
following command:
% /usr/bin/ssh -V
VII. References
<URL:http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html>
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0693 to this issue.
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQE/Z1MtFdaIBMps37IRApcyAKCIjophc4e8UGhAlTTiNCunVJSlfgCffMgQ
PW0VvEnS7MMUYyekHuz49ro=vcm1
-----END PGP SIGNATURE-----
really nothing but... [...]> Be sure to restart `sshd' after updating. > > # kill `cat /var/run/sshd.pid` > # (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags})the path to sshd should be something more like /usr/sbin/sshd, no? A. -- There has been only one Christian. They caught him and crucified him -- early. - Mark Twain -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030916/ff7e5985/attachment.bin
# kill `cat /var/run/sshd.pid`
# (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags})
how do i run that second line.
# (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags})
yes i'm a n00b but what ever i try i get some error msg telling me that it
didnt work. i just started sshd with:
sh /usr/sbin/sshd and worked too.
But you would make me a very happy n00b if somebody can explain it :-)
Regards,
horcy
http://www.text-only.demon.nl
----- Original Message -----
From: "FreeBSD Security Advisories"
<security-advisories@freebsd.org>
To: "FreeBSD Security Advisories"
<security-advisories@freebsd.org>
Sent: Tuesday, September 16, 2003 8:17 PM
Subject: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
===========================================================================>
FreeBSD-SA-03:12 Security
Advisory> FreeBSD,
Inc.>
> Topic: OpenSSH buffer management error
>
> Category: core, ports
> Module: openssh, ports_openssh, openssh-portable
> Announced: 2003-09-16
> Credits: The OpenSSH Project <openssh@openssh.org>
> Affects: All FreeBSD releases after 4.0-RELEASE
> FreeBSD 4-STABLE prior to the correction date
> openssh port prior to openssh-3.6.1_1
> openssh-portable port prior to openssh-portable-3.6.1p2_1
> Corrected: 2003-09-16 16:24:02 UTC (RELENG_4)
> 2003-09-16 16:27:57 UTC (RELENG_5_1)
> 2003-09-16 17:34:32 UTC (RELENG_5_0)
> 2003-09-16 16:24:02 UTC (RELENG_4_8)
> 2003-09-16 16:45:16 UTC (RELENG_4_7)
> 2003-09-16 17:44:15 UTC (RELENG_4_6)
> 2003-09-16 17:45:23 UTC (RELENG_4_5)
> 2003-09-16 17:46:02 UTC (RELENG_4_4)
> 2003-09-16 17:46:37 UTC (RELENG_4_3)
> 2003-09-16 12:43:09 UTC (ports/security/openssh)
> 2003-09-16 12:43:10 UTC (ports/security/openssh-portable)
> CVE: CAN-2003-0693
> FreeBSD only: NO
>
> I. Background
>
> OpenSSH is a free version of the SSH protocol suite of network
> connectivity tools. OpenSSH encrypts all traffic (including
> passwords) to effectively eliminate eavesdropping, connection
> hijacking, and other network-level attacks. Additionally, OpenSSH
> provides a myriad of secure tunneling capabilities, as well as a
> variety of authentication methods. `ssh' is the client application,
> while `sshd' is the server.
>
> II. Problem Description
>
> When a packet is received that is larger than the space remaining in
> the currently allocated buffer, OpenSSH's buffer management attempts
> to reallocate a larger buffer. During this process, the recorded size
> of the buffer is increased. The new size is then range checked. If
> the range check fails, then fatal() is called to cleanup and exit.
> In some cases, the cleanup code will attempt to zero and free the
> buffer that just had its recorded size (but not actual allocation)
> increased. As a result, memory outside of the allocated buffer will
> be overwritten with NUL bytes.
>
> III. Impact
>
> A remote attacker can cause OpenSSH to crash. The bug is not believed
> to be exploitable for code execution on FreeBSD.
>
> IV. Workaround
>
> Do one of the following:
>
> 1) Disable the base system sshd by executing the following command as
> root:
>
> # kill `cat /var/run/sshd.pid`
>
> Be sure that sshd is not restarted when the system is restarted
> by adding the following line to the end of /etc/rc.conf:
>
> sshd_enable="NO"
>
> AND
>
> Deinstall the openssh or openssh-portable ports if you have one of
> them installed.
>
> V. Solution
>
> Do one of the following:
>
> [For OpenSSH included in the base system]
>
> 1) Upgrade your vulnerable system to 4-STABLE or to the RELENG_5_1,
> RELENG_4_8, or RELENG_4_7 security branch dated after
> the correction date (5.1-RELEASE-p3, 4.8-RELEASE-p5, or
> 4.7-RELEASE-p15, respectively).
>
> 2) FreeBSD systems prior to the correction date:
>
> The following patches have been verified to apply to FreeBSD 4.x and
> FreeBSD 5.x systems prior to the correction date.
>
> Download the appropriate patch and detached PGP signature from the
following> locations, and verify the signature using your PGP utility.
>
> [FreeBSD 4.3 through 4.5]
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch.asc>
> [FreeBSD 4.6 and later, FreeBSD 5.0 and later]
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch.asc>
> Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/sshd.patch
> # cd /usr/src/secure/lib/libssh
> # make depend && make all install
> # cd /usr/src/secure/usr.sbin/sshd
> # make depend && make all install
> # cd /usr/src/secure/usr.bin/ssh
> # make depend && make all install
>
> Be sure to restart `sshd' after updating.
>
> # kill `cat /var/run/sshd.pid`
> # (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags})
>
> [For the OpenSSH ports]
>
> One of the following:
>
> 1) Upgrade your entire ports collection and rebuild the OpenSSH port.
>
> 2) Deinstall the old package and install a new package obtained from
> the following directory:
>
> [i386]
> ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/
>
> [other platforms]
> Packages are not automatically generated for other platforms at this
> time due to lack of build resources.
>
> 3) Download a new port skeleton for the openssh or openssh-portable
> port from:
>
> http://www.freebsd.org/ports/
>
> and use it to rebuild the port.
>
> 4) Use the portcheckout utility to automate option (3) above. The
> portcheckout port is available in /usr/ports/devel/portcheckout or the
> package can be obtained from:
>
>
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz>
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz>
> Be sure to restart `sshd' after updating.
>
> # kill `cat /var/run/sshd.pid`
> # test -x /usr/local/etc/rc.d/sshd.sh && sh
/usr/local/etc/rc.d/sshd.sh
start>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in the FreeBSD base system and ports collection.
>
> Branch Revision
> Path
> - ------------------------------------------------------------------------
-> [Base system]
> RELENG_4
> src/crypto/openssh/buffer.c 1.1.1.1.2.5
> src/crypto/openssh/version.h 1.1.1.1.2.11
> RELENG_5_1
> src/UPDATING 1.251.2.4
> src/crypto/openssh/buffer.c 1.1.1.6.4.1
> src/crypto/openssh/version.h 1.20.2.1
> src/sys/conf/newvers.sh 1.50.2.5
> RELENG_5_0
> src/UPDATING 1.229.2.18
> src/crypto/openssh/buffer.c 1.1.1.6.2.1
> src/crypto/openssh/version.h 1.18.2.1
> src/sys/conf/newvers.sh 1.48.2.13
> RELENG_4_8
> src/UPDATING 1.73.2.80.2.7
> src/crypto/openssh/buffer.c 1.1.1.1.2.4.4.1
> src/crypto/openssh/version.h 1.1.1.1.2.10.2.1
> src/sys/conf/newvers.sh 1.44.2.29.2.6
> RELENG_4_7
> src/UPDATING 1.73.2.74.2.18
> src/crypto/openssh/buffer.c 1.1.1.1.2.4.2.1
> src/crypto/openssh/version.h 1.1.1.1.2.9.2.1
> src/sys/conf/newvers.sh 1.44.2.26.2.17
> RELENG_4_6
> src/UPDATING 1.73.2.68.2.46
> src/crypto/openssh/buffer.c 1.1.1.1.2.3.4.2
> src/crypto/openssh/version.h 1.1.1.1.2.8.2.2
> src/sys/conf/newvers.sh 1.44.2.23.2.35
> RELENG_4_5
> src/UPDATING 1.73.2.50.2.47
> src/crypto/openssh/buffer.c 1.1.1.1.2.3.2.1
> src/crypto/openssh/version.h 1.1.1.1.2.7.2.2
> src/sys/conf/newvers.sh 1.44.2.20.2.31
> RELENG_4_4
> src/UPDATING 1.73.2.43.2.48
> src/crypto/openssh/buffer.c 1.1.1.1.2.2.4.1
> src/crypto/openssh/version.h 1.1.1.1.2.5.2.3
> src/sys/conf/newvers.sh 1.44.2.17.2.39
> RELENG_4_3
> src/UPDATING 1.73.2.28.2.35
> src/crypto/openssh/buffer.c 1.1.1.1.2.2.2.1
> src/crypto/openssh/version.h 1.1.1.1.2.4.2.3
> src/sys/conf/newvers.sh 1.44.2.14.2.25
> [Ports]
> ports/security/openssh-portable/Makefile 1.73
> ports/security/openssh-portable/files/patch-buffer.c 1.1
> ports/security/openssh/Makefile 1.120
> ports/security/openssh/files/patch-buffer.c 1.1
> - ------------------------------------------------------------------------
->
> Branch Version string
> - ------------------------------------------------------------------------
-> HEAD OpenSSH_3.6.1p1 FreeBSD-20030916
> RELENG_4 OpenSSH_3.5p1 FreeBSD-20030916
> RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030916
> RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030916
> RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030916
> RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030916
> RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20030916
> RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20030916
> RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20030916
> - ------------------------------------------------------------------------
->
> To view the version string of the OpenSSH server, execute the
> following command:
>
> % /usr/sbin/sshd -\?
>
> The version string is also displayed when a client connects to the
> server.
>
> To view the version string of the OpenSSH client, execute the
> following command:
>
> % /usr/bin/ssh -V
>
> VII. References
>
>
<URL:http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/0
00063.html>>
> The Common Vulnerabilities and Exposures project (cve.mitre.org) has
> assigned the name CAN-2003-0693 to this issue.
> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (FreeBSD)
>
> iD8DBQE/Z1MtFdaIBMps37IRApcyAKCIjophc4e8UGhAlTTiNCunVJSlfgCffMgQ
> PW0VvEnS7MMUYyekHuz49ro> =vcm1
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security-notifications@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
> To unsubscribe, send any mail to
"freebsd-security-notifications-unsubscribe@freebsd.org"
At 07:44 17/09/2003 +0200, horcy wrote:># (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags}) > >yes i'm a n00b but what ever i try i get some error msg telling me that it >didnt work. i just started sshd with: >sh /usr/sbin/sshd and worked too. >But you would make me a very happy n00b if somebody can explain it :-)It's a typographical error -- it should have been># (. /etc/rc.conf && ${sshd_program:-/usr/sbin/sshd} ${sshd_flags})^^^^^^^^^^^^^^ Colin Percival
Jacques A. Vidrine
2003-Sep-17 11:43 UTC
FreeBSD Security Advisory FreeBSD-SA-03:12.openssh
On Wed, Sep 17, 2003 at 02:39:14PM -0400, Jonathan Lennox wrote:> Jacques A. Vidrine writes: > > On Wed, Sep 17, 2003 at 06:56:51AM -0700, Mark Foster wrote: > > > Also, the command as shown doesn't work under csh, you must run under sh > > > Good point. I've always assumed use of the real shell :-) for > > security advisories, but that is not a good assumption, particularly > > since by default the root user has csh. > > On FreeBSD 5.0 and later, wouldn't it be both simpler and safer to > recommend > # /etc/rc.d/sshd restart > instead?Then there would be two sets of instructions, which sucks. I think we'll just not do it quite completely and go with # kill `cat /var/run/sshd.pid` # /usr/sbin/sshd -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
Is there a solution for the patch on freebsd boxes where I do not keep any sources eg. the /usr/src is empty? best regards Sandor Berta
>From: "berta" <berta@beco.hu> >To: <freebsd-security@freebsd.org> >Date: Thu, 18 Sep 2003 13:48:02 +0200 >Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh>Is there a solution for the patch on freebsd boxes where >I do not keep any sources eg. the /usr/src is empty?Certainly. My "production" FreeBSD boxes here at home do not have sources. I build the software for them on a separate ("build") machine, then do NFS installs. As far as what is suitable for your environment, much depends on how you installed on those machines, and how you designed your environment to accomodate subsequent updates. Peace, david -- David H. Wolfskill david@catwhisker.org If you want true virus-protection for your PC, install a non-Microsoft OS on it. Plausible candidates include FreeBSD, Linux, NetBSD, OpenBSD, and Solaris (in alphabetical order).
On Thu, Sep 18, 2003 at 01:48:02PM +0200, berta wrote:> Is there a solution for the patch on freebsd boxes where > I do not keep any sources eg. the /usr/src is empty?Have you looked at freebsd-update in ports? This is a binary update mechanism. BMS
>>>This can be dangerous if you are ssh'ed in, and the restart kills your >>>connection rather than the daemon. >> >> All the restart target does is basically kill the pid using the pid file >> and then restart the daemon, so it is no more dangerous then the below. > >It's good that the FreeBSD script does not use 'killall' (for instance), but not >every SysV sshd script is as sensible. Of course, if you argued that a NG sshd >RC script might involve dependencies which affected other processes, you'd have >a point. :-)None of these are problems when sshd is run from inetd. The only reasons not to run sshd out of inetd are A) if the server needs to initiate dozens of sessions per minute or B) if it's not running inetd. Advantages to using inetd include connection count limiting, connection rate limiting, tcp_wrappers, address binding, and simplicity (KIS), among others. Back when ssh was originally developed, in the days of 50Mhz processors, key generation time made running sshd out of inetd slow. For the past several years, however, this has not been an issue. Why FreeBSd's default installation still uses a legacy stand-alone ssh daemon is a question many systems administrators are asking. -- Roger Marquis Roble Systems Consulting http://www.roble.com/