[sflack-security] openssh (SFSA:2007-255-01)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


[sflack-security] openssh (SFSA:2007-255-01)

New openssh packages are available for Sflack 11.0, and 12.0
to fix a possible security issue. This version should
also provide increased performance with certain ciphers.

More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752


Here are the details from the Sflack 12.0 ChangeLog:
+--------------------------+
patches/packages/openssh-4.7p1-x86_64-1_sflack12.0.tgz:
Upgraded to openssh-4.7p1.
From the OpenSSH release notes:
"Security bugs resolved in this release: Prevent ssh(1) from using a
trusted X11 cookie if creation of an untrusted cookie fails; found and
fixed by Jan Pechanec."
While it's fair to say that we here at Sflack don't see how this could
be leveraged to compromise a system, a) the OpenSSH people (who presumably
understand the code better) characterize this as a security bug, b) it has
been assigned a CVE entry, and c) OpenSSH is one of the most commonly used
network daemons. Better safe than sorry.
More information should appear here eventually:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752
(* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at Evolva Telecom
(http://evolva.ro) and serghei.net (http://serghei.net)
for donating additional FTP and rsync hosting
to the Sflack project! :-)

Also see the "Get Sflack" section on http://sflack.com for
additional mirror sites near you.

Updated package for Sflack 11.0:
ftp://ftp.sflack.com/pub/sflack/sflack-11.0/patches/packages/openssh-4.7p1-x86_64-1_sflack11.0.tgz

Updated package for Sflack 12.0:
ftp://ftp.sflack.com/pub/sflack/sflack-12.0/patches/packages/openssh-4.7p1-x86_64-1_sflack12.0.tgz


MD5 signatures:
+-------------+

Sflack 11.0 package:
57fb79bc81995a46fc9eb98f87f42b63 openssh-4.7p1-x86_64-1_sflack11.0.tgz

Sflack 12.0 package:
e138c89cef693b9e93fdb08a719ce39c openssh-4.7p1-x86_64-1_sflack12.0.tgz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg openssh-4.7p1-x86_64-1_sflack12.0.tgz


+-----+

Sflack Linux Security Team
http://sflack.com/gpg-key
security at sflack.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFG6RdCw79R6/xskD8RAngfAKDDN9GIodJRHdMZKbCYaV0xKrf5iACbB8VC
vGacfV7Qbc5am/yH46/Stg8=
=SsVi
-----END PGP SIGNATURE-----