Mandrake Linux Security Advisory : openssh (MDKSA-2000:068-1)
High Nessus Plugin ID 61854
SynopsisThe remote Mandrake Linux host is missing one or more security updates.
DescriptionA vulnerability exists with all versions of OpenSSH prior to 2.3.0 with regards to the X11 forwarding and ssh-agent. If agent or X11 forwarding is disabled in the ssh client configuration, the client does not request these features during session setup. However, when the ssh client receives an actual request asking for access to the ssh-agent, the client fails to check whether this feature has been negotiated during session setup. The client does not check whether the request is in compliance with the client configuration and grants access to the ssh-agent. A similar problem exists in the X11 forwarding implementation.
The packages announced yesterday for Linux-Mandrake 7.0 and 7.1 did not have PAM support enabled. This meant that the server would not allow logins. These updated packages for 7.0 and 7.1 are now available with PAM support properly enabled.
SolutionUpdate the affected packages.