TUCoPS :: SCO :: cs2sco11.txt

Open UNIX, UnixWare: OpenSSH channel code vulnerability - Caldera Advisory CSSA-2002-SCO.11

To: bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.on.ca


            Caldera International, Inc. Security Advisory

Subject:                Open UNIX, UnixWare: OpenSSH channel code vulnerability
Advisory number:        CSSA-2002-SCO.11
Issue date:             2002 March 12
Cross reference:        CSSA-2002-SCO.10

1. Problem Description

        A  bug exists in the  channel code  of  OpenSSH  versions  2.0
        though 3.0.2.

        Existing users can use this bug  to gain root privileges.  The
        ability to exploit this vulnerability without an existing user
        account  has  not  yet  been  proven,  but  it  is  considered
        possible.  A  malicious ssh server could also  use this bug to
        exploit a connecting vulnerable client.

2. Vulnerable Supported Versions

        Operating System        Version         Affected Files
        UnixWare                7.1.1           all ssh distribution files
        Open UNIX               8.0.0           all ssh distribution files

3. Workaround


4. Open UNIX, UnixWare

  4.1 Location of Fixed Binaries


  4.2 Verification

        MD5 (openssh-3.1p1.pkg) = 795ce670574cfad348996be551cd498e

        md5 is available for download from

  4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following commands:

        Download openssh-3.1p1.pkg to the /tmp directory

        # pkgadd -d /tmp/openssh-3.1p1.pkg

5. References


        This and other advisories are located at

        This advisory addresses Caldera Security internal incidents
        sr861335, fz520314, erg711983.

6. Disclaimer

        Caldera International, Inc. is not  responsible for the misuse
        of  any of  the  information we provide on  our website and/or
        through our  security advisories. Our advisories are a service
        to  our customers  intended to promote secure installation and
        use of Caldera International products.

7. Acknowledgements

        Joost  Pol  <joost@pine.nl>  discovered  and  researched  this

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH