OpenBSD Journal

[OpenSSH] OpenSSH 3.0.2 Released

Contributed by Dengue on from the security-update dept.

OpenSSH 3.0.2 has been released. It addresses a vulnerability in the UseLogin feature (not enabled by default). Read more for the release announcement.

 Subject: OpenSSH 3.0.2 fixes UseLogin vulnerability
    Date: Tue, 4 Dec 2001 13:48:19 +0100
    From: Markus Friedl



OpenSSH 3.0.2 has just been released. It will be available from the
mirrors listed at shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

We would like to thank the OpenSSH community for their continued
support and encouragement.

Important Changes:

        This release fixes a vulnerability in the UseLogin option
        of OpenSSH.  This option is not enabled in the default
        installation of OpenSSH.

        However, if UseLogin is enabled by the administrator, all
        versions of OpenSSH prior to 3.0.2 may be vulnerable to
        local attacks.

        The vulnerability allows local users to pass environment
        variables (e.g. LD_PRELOAD) to the login process.  The login
        process is run with the same privilege as sshd (usually
        with root privilege).

        Do not enable UseLogin on your machines or disable UseLogin
        again in /etc/sshd_config:
                UseLogin no

We also have received many reports about attacks against the crc32
bug.  This bug has been fixed about 12 months ago in OpenSSH 2.3.0.
However, these attacks cause non-vulnerable daemons to chew a lot
of cpu since the crc32 attack sends a tremendously large amount of
data which must be processed.

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller and Ben Lindstrom.

The following patch fixes the UseLogin vulnerability in OpenSSH 3.0.1 and
earlier releases.

--- session.c   11 Oct 2001 13:45:21 -0000      1.108
+++ session.c   1 Dec 2001 22:14:39 -0000
@@ -875,6 +875,7 @@
                child_set_env(&env, &envsize, "TZ", getenv("TZ"));
        /* Set custom environment options from RSA authentication. */
+       if (!options.use_login)
        while (custom_environment) {
                struct envstring *ce = custom_environment;
                char *s = ce->s;

(Comments are closed)

  1. By Anonymous Coward () on

  2. By Anonymous Coward () on

    For about a month before the bug was made
    public, I was getting unauthorized log
    attempts via SSH. Made me wonder then,
    and has made me realize now, I should be
    weary of out of the ordinary traffic. ;)


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]