Synopsis: Moderate: openssh security update Issue date: 2009-09-30 CVE Names: CVE-2009-2904 A Red Hat specific patch used in the openssh packages as shipped in Red Hat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain ownership requirements for directories used as arguments for the ChrootDirectory configuration options. A malicious user that also has or previously had non-chroot shell access to a system could possibly use this flaw to escalate their privileges and run commands as any system user. (CVE-2009-2904) After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically. SL 5.x SRPMS: openssh-4.3p2-36.el5_4.2.src.rpm i386: openssh-4.3p2-36.el5_4.2.i386.rpm openssh-askpass-4.3p2-36.el5_4.2.i386.rpm openssh-clients-4.3p2-36.el5_4.2.i386.rpm openssh-server-4.3p2-36.el5_4.2.i386.rpm x86_64: openssh-4.3p2-36.el5_4.2.x86_64.rpm openssh-askpass-4.3p2-36.el5_4.2.x86_64.rpm openssh-clients-4.3p2-36.el5_4.2.x86_64.rpm openssh-server-4.3p2-36.el5_4.2.x86_64.rpm -Connie Sieh -Troy Dawson