From owner-freebsd-announce Tue Dec 4 9:26:45 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 65B5C37B405; Tue, 4 Dec 2001 09:26:37 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id fB4HQbA05231; Tue, 4 Dec 2001 09:26:37 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Tue, 4 Dec 2001 09:26:37 -0800 (PST) Message-Id: <200112041726.fB4HQbA05231@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: security-advisories@FreeBSD.org Subject: FreeBSD Security Advisory: FreeBSD-SA-01:63.openssh Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:63 Security Advisory FreeBSD, Inc. Topic: OpenSSH UseLogin directive permits privilege escalation Category: core/ports Module: openssh Announced: 2001-12-02 Credits: Markus Friedl Affects: FreeBSD 4.3-RELEASE, 4.4-RELEASE FreeBSD 4.4-STABLE prior to the correction date Ports collection prior to the correction date Corrected: 2001-12-03 00:53:28 UTC (RELENG_4) 2001-12-03 00:54:18 UTC (RELENG_4_4) 2001-12-03 00:54:54 UTC (RELENG_4_3) 2001-12-02 06:52:40 UTC (openssh port) FreeBSD only: NO I. Background OpenSSH is an implementation of the SSH1 and SSH2 secure shell protocols for providing encrypted and authenticated network access, which is available free for unrestricted use. Versions of OpenSSH are included in the FreeBSD ports collection and the FreeBSD base system. II. Problem Description OpenSSH includes a feature by which a user can arrange for environmental variables to be set depending upon the key used for authentication. These environmental variables are specified in the `authorized_keys' (SSHv1) or `authorized_keys2' (SSHv2) files in the user's home directory on the server. This is normally safe, as this environment is passed only to the user's shell, which is invoked with user privileges. However, when the OpenSSH server `sshd' is configured to use the system's login program (via the directive `UseLogin yes' in sshd_config), this environment is passed to login, which is invoked with superuser privileges. Because certain environmental variables such as LD_LIBRARY_PATH and LD_PRELOAD can be set using the previously described feature, the user may arrange for login to execute arbitrary code with superuser privileges. All versions of FreeBSD 4.x prior to the correction date including FreeBSD 4.3 and 4.4 are potentially vulnerable to this problem. However, the OpenSSH server is configured to not use the system login program (`UseLogin no') by default, and is therefore not vulnerable unless the system administrator has changed this setting. In addition, there are two versions of OpenSSH included in the ports collection. One is ports/security/openssh, which is the BSD-specific version of OpenSSH. Versions of this port prior to openssh-3.0.2 exhibit the problem described above. The other is ports/security/openssh-portable, which is not vulnerable, even if the server is set to `UseLogin yes'. III. Impact Hostile but otherwise legitimate users that can successfully authenticate using public key authentication may cause /usr/bin/login to run arbitrary code as the superuser. If you have not enabled the 'UseLogin' directive in the sshd configuration file, you are not vulnerable to this problem. IV. Workaround Doing one of the following will eliminate the vulnerability: 1) Configure sshd to not use the system login program. Edit the server configuration file and change any `UseLogin' directives to `UseLogin no'. This is the preferred workaround. 2) If for whatever reason, disabling `UseLogin' is not possible, then one can instead disable public key authentication. Edit the server configuration file and change any `RSAAuthentication', `DSAAuthentication', or `PubKeyAuthentication' directives to `RSAAuthentication no', `DSAAuthentication no', and `PubKeyAuthentication no', respectively. For sshd included in the base system (/usr/bin/sshd), the server configuration file is `/etc/ssh/sshd_config'. For sshd from the ports collection, the server configuration file is `/usr/local/etc/sshd_config'. After modifying the sshd configuration file, the sshd daemon must be restarted by executing the following command as root: # kill -HUP `cat /var/run/sshd.pid` V. Solution 1) Upgrade the vulnerable system to 4.3-RELEASEp21, 4.4-RELEASEp1, or 4.4-STABLE after the correction date, or patch your current system source code and rebuild. 2) FreeBSD 4.x systems prior to the correction date: The following patch has been verified to apply to FreeBSD 4.3-RELEASE, 4.4-RELEASE, and 4.4-STABLE dated prior to the correction date. It may or may not apply to older, unsupported versions of FreeBSD. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:63/sshd.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:63/sshd.patch.asc Execute the following commands as root: # cd /usr/src/crypto/openssh # patch < /path/to/sshd.patch # cd /usr/src/secure/usr.sbin/sshd # make depend && make all install 3) FreeBSD 4.4-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.4-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. In addition, the package automatically restarts the sshd daemon if it is running. Three versions of the upgrade package are available, depending on whether or not the system has the kerberosIV or kerberos5 distributions installed. 3a) For systems without kerberosIV or kerberos5 installed: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-01.63.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-01.63.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sshd-01.63.tgz 3b) For systems with kerberosIV only installed: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-01.63.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-01.63.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sshd-kerberosIV-01.63.tgz 3c) For systems with kerberos5 only installed: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberos5-01.63.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberos5-01.63.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sshd-kerberos5-01.63.tgz 3d) For systems with both kerberosIV and kerberos5 installed: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-kerberos5-01.63.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-kerberos5-01.63.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sshd-kerberosIV-kerberos5-01.63.tgz [Ports collection] One of the following: 1) Upgrade your entire ports collection and rebuild the OpenSSH port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/openssh-3.0.2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/openssh-3.0.2.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. NOTE: It may be several days before updated packages are available. Be sure to check the file creation date on the package, because the version number of the software has not changed. 3) Download a new port skeleton for the openssh port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details Path Revision Branch - ------------------------------------------------------------------------- src/crypto/openssh/session.c HEAD 1.18 RELENG_4 1.4.2.11 RELENG_4_4 1.4.2.8.4.1 RELENG_4_3 1.4.2.8.2.1 src/crypto/openssh/version.h HEAD 1.9 RELENG_4 1.1.1.1.2.7 RELENG_4_4 1.1.1.1.2.5.2.1 RELENG_4_3 1.1.1.1.2.4.2.1 ports/security/openssh/Makefile 1.79 - ------------------------------------------------------------------------- For OpenSSH included in the base system, there is a version string indicating which FreeBSD localizations are available. The following table lists the version strings for each branch which include this security fix: Branch Version string - ------------------------------------------------------------------------- HEAD OpenSSH_2.9 FreeBSD localisations 20011202 RELENG_4 OpenSSH_2.9 FreeBSD localisations 20011202 RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20011202 RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20011202 - ------------------------------------------------------------------------- To view the version string of the OpenSSH server, execute the following command: % /usr/sbin/sshd -\? The version string is also displayed when a client connects to the server. VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPAz4rlUuHi5z0oilAQGNBwQAl68aZL6hfJaeAFlNlKwrARJ2XgwjkII2 q6Nir5KFgeYkPilDdElua81MU5FxUgSyYYBLADRrtyht6otqmK8u5GZJMrKPXadi ys3nnqH/LYYREe2RVYmzXOSgjn2q0rqm9zNgYoddQjbTnpRxRq//SuOMVTRoYlJC 5QznzsMiK1U= =XSLb -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Tue Dec 4 10:54:29 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 68D3637B41C; Tue, 4 Dec 2001 10:54:18 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id fB4IsI319200; Tue, 4 Dec 2001 10:54:18 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Tue, 4 Dec 2001 10:54:18 -0800 (PST) Message-Id: <200112041854.fB4IsI319200@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:64.wu-ftpd Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:64 Security Advisory FreeBSD, Inc. Topic: wu-ftpd port contains remote root compromise Category: ports Module: wu-ftpd Announced: 2001-12-04 Credits: CORE Security Technologies Contact: Ivan Arce (iarce@corest.com) Affects: Ports collection prior to the correction date Corrected: 2001-11-28 10:52:26 UTC FreeBSD only: NO I. Background wu-ftpd is a popular full-featured FTP server. II. Problem Description The wu-ftpd port, versions prior to wu-ftpd-2.6.1_7, contains a vulnerability which allows FTP users, both anonymous FTP users and those with valid accounts, to execute arbitrary code as root on the local machine. This may be accomplished by inserting invalid globbing parameters which are incorrectly parsed by the FTP server into command input. The wu-ftpd port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 6000 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.4 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact FTP users, including anonymous FTP users, can cause arbitrary commands to be executed as root on the local machine. If you have not chosen to install the wu-ftpd port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the wu-ftpd port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the wu-ftpd port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/ftp/wu-ftpd-2.6.1_7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ftp/wu-ftpd-2.6.1_7.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources NOTE: It may be several days before updated packages are available. Be sure to check the file creation date on the package, because the version number of the software has not changed. 3) download a new port skeleton for the wu-ftpd port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Path Revision - ------------------------------------------------------------------------- ports/ftp/wu-ftpd/Makefile 1.41 ports/ftp/wu-ftpd/files/patch-ap 1.2 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPA0CA1UuHi5z0oilAQENSQP9HaHiACNyiHZtV8ILnUZWb+D01qf0wTy2 gbZJGfKL/JTP41KLR4EpUitF5SZ+3Zjm8Ebv8XXCjCFWgIBU1xhZaXgi2U9PRLlG XxHKzvpGnTuBj3uJiLs2UvAbQ9Jz5Wp02u6fJV75dcbnXTPLSGRvxJZwOb2FHxnE MBUlG+QDpPw= =sp+c -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Thu Dec 6 22: 9:53 2001 Delivered-To: freebsd-announce@freebsd.org Received: from lsmls02.we.mediaone.net (lsmls02.we.mediaone.net [24.130.1.15]) by hub.freebsd.org (Postfix) with ESMTP id 48C8237B417 for ; Thu, 6 Dec 2001 13:38:56 -0800 (PST) Received: from opensound.com (we-24-130-80-105.we.mediaone.net [24.130.80.105]) by lsmls02.we.mediaone.net (8.11.4/8.11.3) with ESMTP id fB6Lc4g11412 for ; Thu, 6 Dec 2001 13:38:05 -0800 (PST) Message-ID: <3C0FE4F9.253C9C53@opensound.com> Date: Thu, 06 Dec 2001 13:36:57 -0800 From: 4Front Technologies Reply-To: opensound@mediaone.net X-Mailer: Mozilla 4.79 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-announce@freebsd.org Subject: Open Sound System 3.9.6 for FreeBSD 4.4 announced Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FOR IMMEDIATE RELEASE Open Sound System v3.9.6 Released. CULVER CITY, CA, December 6, 2001: 4Front Technologies is announcing the availability of Open Sound System(TM) (OSS) version 3.9.6 for FreeBSD 4.4 OSS provides sound card drivers for most popular sound cards for the above operating system. These drivers support digital audio, MIDI, Synthesizers and mixers found on sound cards. These sound drivers comply with the Open Sound System API specification. OSS provides a user-friendly GUI which makes the installation of sound drivers and configuration of sound cards very simple. OSS supports over 250 brand name sound cards. OSS drivers provide automatic sound card detection, Plug-n-Play support, support for PCI audio soundcards and support for full duplex audio. What's new in 3.9.6? - Volume control and VU level meters for 4Front's Virtual Mixer engine. - Number of Virtual Mixer and IMUX devices now configurable up to 48 devices. - Support for Sound Blaster Audigy (Beta) - New SBLive! drivers o Full front/rear channel volume controls o 4 channel equalizer o S/PDIF in/out/digital-cd playback via front/rear speakers o Volume controls for hardware channels (/dev/dspXX volume) o Record-as-you-play - capture playback channel in real-time o Volume controls for S/PDIF input/output with VU meters - SiS 7012 audio with 4 and 6 channel support including S/PDIF. - Intel 810/815/820/845 (ICH2/ICH3) S/PDIF-out and 4/6 channel support. - VIA VT8233 audio with multichannel output support. - Updated Envy24 drivers with support for Terratec EW88MT/Hoontech DSP24 - Virtual Mixer and Input Multiplexer drivers now support up to 48 channels. - CMedia CM8738 with 4/6 channel and S/PDIF in/out support - Updated National Semiconductor Geode (CS5530) driver For more information and to download a free 7 day evaluation version, visit 4Front's WWW site at http://www.opensound.com ABOUT 4FRONT TECHNOLOGIES: 4Front is a privately held company with development facilities in California, Finland and Sweden. 4Front's main focus is on developing audio solutions for the UNIX, Linux and embedded Systems marketplace. 4Front is the developer of Open Sound System and is released under a BSD license. Open Sound System has become the "de-facto" audio API that is now distributed with Linux and FreeBSD kernel sources and licensed by companies like SCO, Wind River Systems, Hewlett Packard and endorsed by SUN Microsystems. Open Sound System provides a cross-platform audio API with device drivers for over 250 brand name sound cards from vendors like Creative Labs, Yamaha, Cirrus Logic, MIDIMan, ESS Technologies, CMedia and others. More information on Open Sound System and 4Front Technologies is available at http://www.opensound.com. 4Front Technologies is also the developer of X MultiMedia System (XMMS) XMMS is developed by 4Front Technologies under the GNU Public License (GPL) and has a large world-wide developer base that contributes plugins and enahancements. XMMS is a cross platform multimedia player that support MP3, Ogg, Wave, CD, MOD, MIDI, and digital audio and Mpeg1, AVI, Mpeg2 video formats. XMMS is distributed with all the major Linux and FreeBSD distributions. It has become the de-facto media player and has won world-wide acclaim as being one of the best media players for UNIX and Linux. XMMS has won numerous awards from Slashdot, Linux Magazine, Linux Journal and others. More information on XMMS is available at http://www.xmms.org. --- xxx --- All trademarks and copyrights belong to their respective owners. Open Sound System is a trademark of 4Front Technologies. Copyright (C) 1996-2001, 4Front Technologies, All Rights Reserved. 4Front Technologies 4035 Lafayette Place, Unit F Culver City, CA 90232 USA. Tel: (310) 202 8530 E-mail: info@opensound.com Fax: (310) 202 0486 Web: http://www.opensound.com This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Fri Dec 7 4:30:27 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0788E37B416; Fri, 7 Dec 2001 04:30:12 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id fB7CUB066488; Fri, 7 Dec 2001 04:30:11 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Fri, 7 Dec 2001 04:30:11 -0800 (PST) Message-Id: <200112071230.fB7CUB066488@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:63.openssh Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:63 Security Advisory FreeBSD, Inc. Topic: OpenSSH UseLogin directive permits privilege escalation [REVISED] Category: core/ports Module: openssh Announced: 2001-12-02 Revised: 2001-12-06 Credits: Markus Friedl Affects: FreeBSD 4.3-RELEASE, 4.4-RELEASE FreeBSD 4.4-STABLE prior to the correction date Ports collection prior to the correction date Corrected: 2001-12-03 00:53:28 UTC (RELENG_4) 2001-12-03 00:54:18 UTC (RELENG_4_4) 2001-12-03 00:54:54 UTC (RELENG_4_3) 2001-12-02 06:52:40 UTC (openssh port) FreeBSD only: NO 0. Revision History v1.0 2001-12-02 Initial release v1.1 2001-07-31 Corrected patch instructions I. Background OpenSSH is an implementation of the SSH1 and SSH2 secure shell protocols for providing encrypted and authenticated network access, which is available free for unrestricted use. Versions of OpenSSH are included in the FreeBSD ports collection and the FreeBSD base system. II. Problem Description OpenSSH includes a feature by which a user can arrange for environmental variables to be set depending upon the key used for authentication. These environmental variables are specified in the `authorized_keys' (SSHv1) or `authorized_keys2' (SSHv2) files in the user's home directory on the server. This is normally safe, as this environment is passed only to the user's shell, which is invoked with user privileges. However, when the OpenSSH server `sshd' is configured to use the system's login program (via the directive `UseLogin yes' in sshd_config), this environment is passed to login, which is invoked with superuser privileges. Because certain environmental variables such as LD_LIBRARY_PATH and LD_PRELOAD can be set using the previously described feature, the user may arrange for login to execute arbitrary code with superuser privileges. All versions of FreeBSD 4.x prior to the correction date including FreeBSD 4.3 and 4.4 are potentially vulnerable to this problem. However, the OpenSSH server is configured to not use the system login program (`UseLogin no') by default, and is therefore not vulnerable unless the system administrator has changed this setting. In addition, there are two versions of OpenSSH included in the ports collection. One is ports/security/openssh, which is the BSD-specific version of OpenSSH. Versions of this port prior to openssh-3.0.2 exhibit the problem described above. The other is ports/security/openssh-portable, which is not vulnerable, even if the server is set to `UseLogin yes'. III. Impact Hostile but otherwise legitimate users that can successfully authenticate using public key authentication may cause /usr/bin/login to run arbitrary code as the superuser. If you have not enabled the 'UseLogin' directive in the sshd configuration file, you are not vulnerable to this problem. IV. Workaround Doing one of the following will eliminate the vulnerability: 1) Configure sshd to not use the system login program. Edit the server configuration file and change any `UseLogin' directives to `UseLogin no'. This is the preferred workaround. 2) If for whatever reason, disabling `UseLogin' is not possible, then one can instead disable public key authentication. Edit the server configuration file and change any `RSAAuthentication', `DSAAuthentication', or `PubKeyAuthentication' directives to `RSAAuthentication no', `DSAAuthentication no', and `PubKeyAuthentication no', respectively. For sshd included in the base system (/usr/bin/sshd), the server configuration file is `/etc/ssh/sshd_config'. For sshd from the ports collection, the server configuration file is `/usr/local/etc/sshd_config'. After modifying the sshd configuration file, the sshd daemon must be restarted by executing the following command as root: # kill -HUP `cat /var/run/sshd.pid` V. Solution 1) Upgrade the vulnerable system to 4.3-RELEASEp21, 4.4-RELEASEp1, or 4.4-STABLE after the correction date, or patch your current system source code and rebuild. 2) FreeBSD 4.x systems prior to the correction date: The following patch has been verified to apply to FreeBSD 4.3-RELEASE, 4.4-RELEASE, and 4.4-STABLE dated prior to the correction date. It may or may not apply to older, unsupported versions of FreeBSD. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:63/sshd.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:63/sshd.patch.asc Execute the following commands as root: # cd /usr/src/crypto/openssh # patch < /path/to/sshd.patch # cd /usr/src/secure/lib/libssh # make depend && make all # cd /usr/src/secure/usr.sbin/sshd # make depend && make all install 3) FreeBSD 4.4-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.4-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. In addition, the package automatically restarts the sshd daemon if it is running. Three versions of the upgrade package are available, depending on whether or not the system has the kerberosIV or kerberos5 distributions installed. 3a) For systems without kerberosIV or kerberos5 installed: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-01.63.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-01.63.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sshd-01.63.tgz 3b) For systems with kerberosIV only installed: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-01.63.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-01.63.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sshd-kerberosIV-01.63.tgz 3c) For systems with kerberos5 only installed: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberos5-01.63.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberos5-01.63.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sshd-kerberos5-01.63.tgz 3d) For systems with both kerberosIV and kerberos5 installed: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-kerberos5-01.63.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-kerberos5-01.63.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sshd-kerberosIV-kerberos5-01.63.tgz [Ports collection] One of the following: 1) Upgrade your entire ports collection and rebuild the OpenSSH port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/openssh-3.0.2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/openssh-3.0.2.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. NOTE: It may be several days before updated packages are available. Be sure to check the file creation date on the package, because the version number of the software has not changed. 3) Download a new port skeleton for the openssh port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details Path Revision Branch - ------------------------------------------------------------------------- src/crypto/openssh/session.c HEAD 1.18 RELENG_4 1.4.2.11 RELENG_4_4 1.4.2.8.4.1 RELENG_4_3 1.4.2.8.2.1 src/crypto/openssh/version.h HEAD 1.9 RELENG_4 1.1.1.1.2.7 RELENG_4_4 1.1.1.1.2.5.2.1 RELENG_4_3 1.1.1.1.2.4.2.1 ports/security/openssh/Makefile 1.79 - ------------------------------------------------------------------------- For OpenSSH included in the base system, there is a version string indicating which FreeBSD localizations are available. The following table lists the version strings for each branch which include this security fix: Branch Version string - ------------------------------------------------------------------------- HEAD OpenSSH_2.9 FreeBSD localisations 20011202 RELENG_4 OpenSSH_2.9 FreeBSD localisations 20011202 RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20011202 RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20011202 - ------------------------------------------------------------------------- To view the version string of the OpenSSH server, execute the following command: % /usr/sbin/sshd -\? The version string is also displayed when a client connects to the server. VII. References -----BEGIN PGP SIGNATURE----- Comment: http://www.nectar.cc/pgp iQCVAwUBPBC1VlUuHi5z0oilAQHNQAQAhKLEjAAb5W7HMnqbNpKJWSsPQKDuspYB N76xiTuzNmS1EFQXgoTlCFD3GZtXsBiiXImxUemyvCA+7yqhhVJIoz43JUa6ts/y 1/KES4LVO1PS/HMBgaywbX5zdtdUzMe1kBVkE6FJeMHQN6RFdOPKe9a2Kx41GlvC 9naCzrq/Pg4= =w2iN -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message