From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on finch.gentoo.org X-Spam-Level: * X-Spam-Status: No, score=1.4 required=5.0 tests=DATE_IN_FUTURE_03_06, DMARC_MISSING,MAILING_LIST_MULTI autolearn=no autolearn_force=no version=4.0.0 Received: from mta03-svc.ntlworld.com (mta03-svc.ntlworld.com [62.253.162.43]) by chiba.3jane.net (Postfix) with ESMTP id 26ABE2015DD0 for ; Thu, 7 Mar 2002 11:00:19 -0600 (CST) Received: from cdavies.org ([213.105.228.89]) by mta03-svc.ntlworld.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020307165718.OBLI305.mta03-svc.ntlworld.com@cdavies.org> for ; Thu, 7 Mar 2002 16:57:18 +0000 Message-ID: <3C87C7E7.9040407@cdavies.org> Date: Thu, 07 Mar 2002 20:04:55 +0000 From: Chris Davies User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8) Gecko/20030215 X-Accept-Language: en-us MIME-Version: 1.0 To: gentoo-dev@gentoo.org References: <1015438682.30336.9.camel@katios.nolabel.net> <20020306203417.46DFD33B3B@cismrelais.univ-lyon1.fr> <1015460426.12140.19.camel@katios.nolabel.net> <1015460618.12461.23.camel@katios.nolabel.net> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Subject: [gentoo-dev] OpenSSH Security Fix. Sender: gentoo-dev-admin@gentoo.org Errors-To: gentoo-dev-admin@gentoo.org X-BeenThere: gentoo-dev@gentoo.org X-Mailman-Version: 2.0.6 Precedence: bulk Reply-To: gentoo-dev@gentoo.org List-Help: List-Post: List-Subscribe: , List-Id: Gentoo Linux developer list List-Unsubscribe: , List-Archive: X-Archives-Salt: 108668c4-0863-452c-b37a-2264ed49d34d X-Archives-Hash: 2e2e49dd05718cb8cab327ca1e29c0aa Hi, I haven't seen anything in bugs or this list about this, so here is the news: CERT have issued an advisory about OpenSSH, the bug in question enables existing users to gain root privelidges. The advisory is here: http://www.pine.nl/advisories/pine-cert-20020301.txt The fix is to upgrade to the latest OpenSSH (3.1p1) ASAP. May I politely suggest that a new ebuild be constructed post-haste? :) Anyway, for those at risk, I have constructed an emergency ebuild and digest file, so you may upgrade immediately. The files can be found here: http://www.cdavies.org/gentoo/ Put the digest file in /usr/portage/net-misc/openssh/files and the ebuild in /usr/portage/net-misc/openssh and rerun emerge openssh. If anyone thinks it is worthwhile, I will also post this message to the gentoo users list, but at present I'm not going to do that. Thanks, C.Davies (c.davies@cdavies.org)