openssh security update

CentOS Errata and Security Advisory CESA-2009:1470

OpenSSH is OpenBSD’s SSH (Secure Shell) protocol implementation. These
packages include the core files necessary for both the OpenSSH client and
server.

A Red Hat specific patch used in the openssh packages as shipped in Red
Hat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain ownership
requirements for directories used as arguments for the ChrootDirectory
configuration options. A malicious user that also has or previously had
non-chroot shell access to a system could possibly use this flaw to
escalate their privileges and run commands as any system user.
(CVE-2009-2904)

All OpenSSH users are advised to upgrade to these updated packages, which
contain a backported patch to resolve this issue. After installing this
update, the OpenSSH server daemon (sshd) will be restarted automatically.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2009-October/078426.html
https://lists.centos.org/pipermail/centos-announce/2009-October/078427.html

Affected packages:
openssh
openssh-askpass
openssh-clients
openssh-server

Upstream details at:
https://access.redhat.com/errata/RHSA-2009:1470