Security Information / 2001 / Security Information -- DSA-091-1 ssh

Debian Security Advisory

DSA-091-1 ssh -- influencing login

Date Reported:

05 Dec 2001

Affected Packages:

ssh

Vulnerable:

Yes

Security database references:

In the Bugtraq database (at SecurityFocus): BugTraq ID 3614.
In Mitre's CVE dictionary: CVE-2001-0872.

More information:

If the UseLogin feature is enabled in ssh local users could pass environment variables (including variables like LD_PRELOAD) to the login process. This has been fixed by not copying the environment if UseLogin is enabled.

Please note that the default configuration for Debian does not have UseLogin enabled.

This has been fixed in version 1:1.2.3-9.4.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:

http://security.debian.org/dists/stable/updates/main/source/openssh_1.2.3-9.4.diff.gz

http://security.debian.org/dists/stable/updates/main/source/openssh_1.2.3-9.4.dsc

http://security.debian.org/dists/stable/updates/main/source/openssh_1.2.3.orig.tar.gz

Architecture-independent component:

http://security.debian.org/dists/stable/updates/main/binary-all/ssh-askpass-ptk_1.2.3-9.4_all.deb

Alpha:

http://security.debian.org/dists/stable/updates/main/binary-alpha/ssh-askpass-gnome_1.2.3-9.4_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/ssh_1.2.3-9.4_alpha.deb

ARM:

http://security.debian.org/dists/stable/updates/main/binary-arm/ssh-askpass-gnome_1.2.3-9.4_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/ssh_1.2.3-9.4_arm.deb

Intel IA-32:

http://security.debian.org/dists/stable/updates/main/binary-i386/ssh-askpass-gnome_1.2.3-9.4_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/ssh_1.2.3-9.4_i386.deb

Motorola 680x0:

http://security.debian.org/dists/stable/updates/main/binary-m68k/ssh-askpass-gnome_1.2.3-9.4_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/ssh_1.2.3-9.4_m68k.deb

PowerPC:

http://security.debian.org/dists/stable/updates/main/binary-powerpc/ssh-askpass-gnome_1.2.3-9.4_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/ssh_1.2.3-9.4_powerpc.deb

Sun Sparc:

http://security.debian.org/dists/stable/updates/main/binary-sparc/ssh-askpass-gnome_1.2.3-9.4_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/ssh_1.2.3-9.4_sparc.deb

MD5 checksums of the listed files are available in the original advisory.