Re: CERT (Was: Re: NUTS! "Much ado about nothing" -- I need a clearer up or down)

From: Mark Thomas (thomas@pbegames.com)
Date: 06/27/02


Date: Thu, 27 Jun 2002 08:20:40 -0400
To: freebsd-security@FreeBSD.ORG
From: Mark Thomas <thomas@pbegames.com>

At 08:09 AM 6/27/02 -0400, Chris Johnson wrote:
>On Thu, Jun 27, 2002 at 06:54:35AM -0500, D J Hawkey Jr wrote:
> > OpenSSH in RELENG_4_5 (FreeBSD 4.5-RELEASE[-pN]) is OpenSSH_2.9.
> > To reiterate, all that has to be done for this version is turn off
> > "ChallengeResponseAuthentication".
>
>The version in RELENG_4_5 does not have this bug, so you don't even have to
>turn off ChallengeResponseAuthentication to be safe from this particular
>vulnerability. You're safe either way.

If you're running older versions be careful. This option may not exist, and
hupping a server with this in place can cause it to shut itself down,
leaving you with no daemon running.

Mark Thomas

---
thomas@pbegames.com ----> http://www.pbegames.com/~thomas
Play by Electron Games -> http://www.pbegames.com Free Trial Games
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message