OpenPKG Corporation
OpenPKG CorporationSecuritySecurity Advisories

OpenPKG Security Advisory

OpenPKG-SA-2003.035

Publisher Name:          OpenPKG GmbH
Publisher Home:          http://openpkg.com/

Advisory Id (public):    OpenPKG-SA-2003.035
Advisory Type:           OpenPKG Security Advisory (SA)
Advisory Directory:      http://openpkg.com/go/OpenPKG-SA
Advisory Document:       http://openpkg.com/go/OpenPKG-SA-2003.035
Advisory Published:      2010-02-09 13:34 UTC

Issue Id (internal):     OpenPKG-SI-20030806.01
Issue First Created:     2003-08-06
Issue Last Modified:     2006-11-28
Issue Revision:          06



Subject Name:            OpenSSH
Subject Summary:         Secure Shell (SSH)
Subject Home:            http://www.openssh.com/
Subject Versions:        * <= 3.6.1p1

Vulnerability Id:        CVE-2003-0190
Vulnerability Scope:     global (not OpenPKG specific)

Attack Feasibility:      run-time
Attack Vector:           remote network
Attack Impact:           exposure of sensitive information

Description:
    According to a Mediaservice.net security advisory [0], an information
    leakage exists in OpenSSH [1] 3.6.1p1 and earlier if PAM support
    is enabled. When a user does not exists, an error message is sent
    immediately (without any delays) which allows remote attackers to
    determine valid usernames via a timing attack. OpenPKG installations
    are only affected if the package was build with option "with_pam"
    set to "yes" -- which is not the default.
    
    We could only reproduce the problem on Linux. FreeBSD and Solaris are
    not vulnerable, the patch does not affect their behaviour. However,
    the problem is related to the PAM configuration, not the operating
    system. Using a non-default configuration might leak information on
    other operating systems, too. On Linux systems, a valid workaround is
    to add a "nodelay" option to the pam_unix.so auth.

References:
    [0] http://lab.mediaservice.net/advisory/2003-01-openssh.txt
    [1] http://www.openssh.com/
    [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190
    [3] http://www.openpkg.org/tutorial.html#regular-source
    [4] http://www.openpkg.org/tutorial.html#regular-binary
    [5] ftp://ftp.openpkg.org/release/1.2/UPD/openssh-3.5p1-1.2.2.src.rpm
    [6] ftp://ftp.openpkg.org/release/1.2/UPD/
    [7] http://www.openpkg.org/security.html#signature



Primary Package Name:    openssh
Primary Package Home:    http://openpkg.org/go/package/openssh

Affected Distribution:   Affected Branch:  Affected Package:
OpenPKG Community        1.2-SOLID         openssh-3.5p1-1.2.1
OpenPKG Community        1.3-SOLID         n/a
OpenPKG Community        CURRENT           openssh-3.6.1p1-20030423

Corrected Distribution:  Corrected Branch: Corrected Package:
OpenPKG Community        1.2-SOLID         openssh-3.5p1-1.2.2
OpenPKG Community        1.3-SOLID         n/a
OpenPKG Community        CURRENT           openssh-3.6.1p2-20030429
Plain Text Version

Latest Advisories:
2007.023 perl
2007.022 bind
2007.021 wordpress
2007.020 php
2007.019 php
2007.018 freetype
2007.017 ratbox
2007.016 gd
2007.015 quagga
2007.014 bind
more...

See Also:
OpenPKG Enterprise 1
ChangeLog!

Meta: About | Imprint | Policy | Feedback | Sitemap | Search:
Validation: XHTML | CSS