Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Security Advisory: Upgrade to OpenSSH 3.1p1 System
From http://www.stepwise.com/Articles/Workbench/2001-12-17.01.html

"A serious security issue has been discovered in OpenSSH 3.0.2 (Apple ships this version with Mac OS X 10.1.3) update to the latest version as soon as possible."

The article goes on to describe how to install OpenSSH 3.1p1.

See also http://www.openbsd.org/advisories/ssh_channelalloc.txt
    •    
  • Currently 1.00 / 5
  You rated: 1 / 5 (4 votes cast)
 
[3,804 views]  

Security Advisory: Upgrade to OpenSSH 3.1p1 | 12 comments | Create New Account
Click here to return to the 'Security Advisory: Upgrade to OpenSSH 3.1p1' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Can't get openssh to compile
Authored by: oeyvind on Mar 08, '02 02:33:26AM

Did exactly as the article... can't get openssh to even finish configuring... it's complaining that it can't find the openssl directory.

Any idea?



[ Reply to This | # ]
Can't get openssh to compile
Authored by: lovejoy on Mar 08, '02 09:00:34AM
Did you download and fully compile the OpenSSL library? This is the second step in the 3-step process as listed at :
    http://www.stepwise.com/Articles/Workbench/2001-12-17.01.html
I did that and then used the commercial/non-commercial SSH source form SSH.com, and got no errors. Lovejoy

[ Reply to This | # ]
Can't get openssh to compile
Authored by: oeyvind on Mar 08, '02 11:11:01AM

did these steps for sure:

curl -O http://www3.stepwise.com/Articles/Workbench/OpenSSL-0.9.6b-7.1.tar.gz

gnutar -xzf OpenSSL-0.9.6b-7.1.tar.gz
cd OpenSSL-7-1/openssl

./config

sudo mkdir -p /usr/local/include
sudo rm -rf /usr/local/include/openssl
sudo cp -r include/openssl /usr/local/include/openssl

I checked /usr/local/include/openssl after the last steps... it's all dead links referring something like ../../crypto/blah blah.h

I even tried copy all the headers according to the list.. no go too.



[ Reply to This | # ]
Can't get openssh to compile
Authored by: see on Mar 08, '02 11:32:02AM

that was not any problem for me at least... /usr/local/include/openssl is correct for me. be sure you type everything right sometimes an extra / in the end might *censored* up things...but problems arise for me when compiling ssh source



[ Reply to This | # ]
Can't get openssh to compile
Authored by: oeyvind on Mar 08, '02 01:12:36PM

yes did exactly... anyway, worse case I will wait for Apple's update/



[ Reply to This | # ]
Can't get openssh to compile
Authored by: Brad Puett on Mar 11, '02 01:45:50PM

I believe I have found the answer to oeyvind (as well as my) problem.

Here's the solution:

Do everything just like it says in the Stepwise article
(http://www.stepwise.com/Articles/Workbench/2001-12-17.01.html)

EXCEPT:

instead of using the following line (which is the last
line in the instructions to compile the OpenSSL library):

sudo cp -r include/openssl /usr/local/include/openssl

Use this line instead:

sudo cp -RL include/openssl /usr/local/include/openssl

Here's the secret from the man page for cp:

"Historic versions of the cp utility had a -r option. This
implementation supports that option; however, its use
is strongly discouraged, as it does not correctly copy
special files, symbolic links or fifo's."

The problem was that, by using the -r option of the cp
command, you (and I) were copying the soft links as is
(example: asn1.h -> ../../crypto/asn1/asn1.h),
which meant it was trying to find the crypto directory in
the /usr/local directory, which was never going to happen.

By using the -RL option, it will copy over the actual files,
instead of making realtive pointers to them
(example: asn1.h)

Try it and let me know how it turns out!

I'll send this solution to Stepwise late this afternoon ...



[ Reply to This | # ]
Can't get openssh to compile
Authored by: lovejoy on Mar 11, '02 01:03:43PM

It looks like it was fixed, but I said ./config threads to make it mutil-threaded. Other than that it was perfect.

Lovejoy



[ Reply to This | # ]
use fink and save time (for free!)
Authored by: Moo0 on Mar 09, '02 04:45:54PM

I had the same error but couldn't be bothered to figure it out: it's easier and less headache-causing to install fink (fink.sourceforget.net) and do a

fink install openssl

then do the ./configure for openssh with --with-ssh-dir=/sw

worked fine for me, running OpenSSH 3.1 now!



[ Reply to This | # ]
can't get to compile either
Authored by: see on Mar 08, '02 10:57:19AM

after putting an extra "int" in bottom of file openbsd-compat/readpassphrase.c to get rid of stupid error, i get stuck with following error when compiling:
------------------------
readpass.c: In function `read_passphrase':
readpass.c:100: `RPP_ECHO_ON' undeclared (first use in this function)
readpass.c:100: (Each undeclared identifier is reported only once
readpass.c:100: for each function it appears in.)
readpass.c:100: `RPP_ECHO_OFF' undeclared (first use in this function)
readpass.c:105: `RPP_REQUIRE_TTY' undeclared (first use in this function)
readpass.c:121: warning: implicit declaration of function `readpassphrase'
make: *** [readpass.o] Error 1
----------------------------
can't get openssh 3.1.p1 to compile on my sun-machine either.
anybody actually managed to compile openssh on other machine than openbsd? think ill go with ssh.com's version....



[ Reply to This | # ]
can't get to compile either
Authored by: zsvx on Mar 09, '02 12:53:01AM

compiled fine for me in solaris 7.



[ Reply to This | # ]
how i got it compile at last...
Authored by: see on Mar 08, '02 12:43:00PM

do the steps on the stepwisetutorial except before trying to compile ssh do this:

on bottom of file openbsd-compat/readpassphrase.c change:
--------------------------
static void handler(int s)
{

signo = s;
}

to:
static void handler(int s)
{

int signo = s;
}
---------------------------------
also add in file readpass.h the folowing lines:

#define RPP_ECHO_OFF 0x00 /* Turn off echo (default). */
#define RPP_ECHO_ON 0x01 /* Leave echo on. */
#define RPP_REQUIRE_TTY 0x02 /* Fail if there is no tty. */

now continue with the last step in stepwise compilation, ege compile ssh
this worked for me and i hope it helps someone else...dont blame me if you *censored* something up ;)



[ Reply to This | # ]
eh
Authored by: bhines on Mar 08, '02 09:45:06PM

According to some sources the new bug is not a "serious issue" since it's not proven that it can be exploited remotely.



[ Reply to This | # ]