New openssh 3.8p1

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
dexter1
Moderator
Moderator
Posts: 2062
Joined: Thu Feb 20, 2003 6:57 am
Location: Voorburg, The Netherlands
Contact:

New openssh 3.8p1

Unread postby dexter1 » Wed Mar 03, 2004 2:59 am

This has slipped by me, so i'll figure i post it here.
No real reason to upgrade from 3.7p1 or a patched 3.6.1p2, this release seems to be just a ports bugfix, no openssh-3.7p1 vulnerabilities reported sofar, but i haven't checked all documents. Will try to port it today on my Origin.

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8031
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Unread postby nekonoko » Fri Mar 05, 2004 11:14 am

Just wanted to point out that foetz put together a tarball of the latest release:

http://www.nekochan.net/wiki/downloads/contr ... p1.tar.bz2
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
foetz
Moderator
Moderator
Posts: 5699
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Unread postby foetz » Fri Mar 05, 2004 1:14 pm

dexter is right.
there's no real reason to upgrade but it's no hard work and they wouldn't have made a new release without any reason.
r-a-c.de

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8031
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Unread postby nekonoko » Tue Mar 09, 2004 10:58 pm

Anyone else had this release override the system time to GMT after starting sshd? Even the SYSLOG time stamps change. Really weird.
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
foetz
Moderator
Moderator
Posts: 5699
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Unread postby foetz » Tue Mar 09, 2004 11:04 pm

nekonoko wrote:Anyone else had this release override the system time to GMT after starting sshd? Even the SYSLOG time stamps change. Really weird.


hello,

quite strange. not happend with my machines.
how is your timezone set?
r-a-c.de

User avatar
Dubhthach
Posts: 779
Joined: Tue Oct 07, 2003 8:16 am
Location: Bláth Cliath, Éire

Unread postby Dubhthach » Wed Mar 10, 2004 3:42 am

just as well my timezone is GMT then :mrgreen:

User avatar
sum][one
Posts: 573
Joined: Fri Jun 06, 2003 4:25 pm
Location: Italy
Contact:

Unread postby sum][one » Wed Mar 10, 2004 5:11 am

damn..i just checked it and it happens here too..
i compiled that SSH myself..

when i ssh to my origin the date shows GMT as timezone while i'm set to CET


weird
----
:: jean-claude
:: mimgfx dot com
----

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8031
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Unread postby nekonoko » Wed Mar 10, 2004 9:19 am

sum][one wrote:damn..i just checked it and it happens here too..
i compiled that SSH myself..

when i ssh to my origin the date shows GMT as timezone while i'm set to CET


weird


That's the same thing I'm getting - I have /etc/TIMEZONE set to TZ=PST8PDT on all machines but once you ssh in it all changes to GMT. I compiled ssh myself as well.

Reverting to the previous version fixes everything.
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
foetz
Moderator
Moderator
Posts: 5699
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Unread postby foetz » Thu Mar 11, 2004 2:34 pm

one solution could be to set the TZ personal for the user you use to login...
r-a-c.de

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8031
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Unread postby nekonoko » Thu Mar 11, 2004 2:37 pm

Tried that - ssh still overrides everything to GMT system wide.
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
foetz
Moderator
Moderator
Posts: 5699
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Unread postby foetz » Thu Mar 11, 2004 2:39 pm

mmhh, really strange...
r-a-c.de

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8031
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Unread postby nekonoko » Fri Mar 19, 2004 12:04 pm

Found the problem:

List: openssh-unix-dev
Subject: Re: environ problem in 3.8p1
From: Darren Tucker <dtucker () zip ! com ! au>
Date: 2004-03-12 12:37:13
Message-ID: <4051AEF9.7090702 () zip ! com ! au>
[Download message RAW]

Roger Cornelius wrote:

> 3.8p1 added the following to main() in sshd.c:
>
> #ifndef HAVE_CYGWIN
> /* Clear environment */
> environ[0] = NULL;
> #endif
>
> This breaks the getenv("TZ") in session.c and causes logins to occur in
> GMT time. It also causes any sshd syslog messages to be written in GMT
> time. I'm on SCO Openserver 5.0.7, but this looks like it should affect
> all platforms. Am I missing something? I haven't seen it reported
> before.

That was an attempt to fix issues with certain authentication types on
AIX, but it causes other problems, as you found. The change has been
backed out, and an alternative fix for the AIX issues has been
implemented. (Both will be in the next release, and are in the
snapshots now).

Thanks for the report.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


Rather than pull the latest snapshot I just deleted the nasty "environ[0] = NULL;" crud shown above, recompiled and everything is back to normal.
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8031
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Unread postby nekonoko » Fri Apr 23, 2004 11:54 am

nekonoko wrote:Rather than pull the latest snapshot I just deleted the nasty "environ[0] = NULL;" crud shown above, recompiled and everything is back to normal.


3.8.1p1 addresses this issue:

20040308
- (dtucker) [sshd.c] Back out rev 1.270 as it caused problems on some
platforms (eg SCO, HP-UX) with logging in the wrong TZ. ok djm@


It also has the following IRIX specific change:

20040406
- (dtucker) [acconfig.h configure.ac defines.h] Bug #820: don't use
updwtmpx() on IRIX since it seems to clobber utmp. ok djm@


Not a security release, but in addition to the specific fixes above there are a number of other bug fixes. I built a tardist and uploaded to the Nekoware beta directory, though it may only work on 6.5.22 and up.
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 1 guest