Yellow Dog Linux Security Announcement
--------------------------------------

Package:	openssh	
Issue Date: 	December 08, 2001
Priority:	medium	
Advisory ID: 	YDU-20011208-5


1. 	Topic:

	These packages fix a vulnerability which may allow unauthorized users to
	log in from hosts that have been denied access.

2. 	Problem:

	If a user lists multiple keys in her .ssh/authorized_keys2 file, sshd may
	in some circumstances not honor the "from" option which can be associated
	with a key, thereby allowing key-based logins from hosts which should not
	be allowed access.

3. 	Solution:

	The updated packages also change some of OpenSSH's functionality.
	To see if these changes will be of impact to you, please visit:
	http://lwn.net/2001/1206/a/openssh-3.0.2.php3

   	a) Updating via yup...
   	We suggest that you use the Yellow Dog Update Program (yup)
   	to keep your system up-to-date. The following command(s) will
   	automatically retrieve and install the fixed version of
   	this update onto your system:

   		yup update openssh

   	b) Updating manually...
   	The update can also be retrieved manually from our ftp site
   	below along with the rpm command that should be used to install
   	the update.  (Please use a mirror site)

   		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.1/ppc/
                rpm -Fvh openssh-3.0.2p1-1a.ppc.rpm
		rpm -Fvh openssh-clients-3.0.2p1-1a.ppc.rpm
		rpm -Fvh openssh-server-3.0.2p1-1a.ppc.rpm
		rpm -Fvh openssh-askpass-3.0.2p1-1a.ppc.rpm
		rpm -Fvh openssh-askpass-gnome-3.0.2p1-1a.ppc.rpm


4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
9965930ec4d4afec5b8cc1a9098cfef8  ppc/openssh-3.0.2p1-1a.ppc.rpm
b9d1c13a1055597f78b3ad452fc6b72e  ppc/openssh-askpass-3.0.2p1-1a.ppc.rpm
ee68149db5786009503231af73c1ddf3  ppc/openssh-askpass-gnome-3.0.2p1-1a.ppc.rpm
7e82d5d356f3658d31e1c378086067d4  ppc/openssh-clients-3.0.2p1-1a.ppc.rpm
e95180fc57a89e698297cc7ceb96a2c0  ppc/openssh-server-3.0.2p1-1a.ppc.rpm
feb5876ce64970e722e0e5825f820eb5  SRPMS/openssh-3.0.2p1-1a.src.rpm

If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of yup, the Yellow Dog Update Program, see 
http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml