Re: OpenSSH-portable <= 3.6.1p1 bug?
From: Peter C. Lai (sirmoo_at_cowbert.2y.net)
Date: 05/13/03
- Previous message: Michael Collette: "Re: [Fwd: Re: Down the MPD road]"
- In reply to: Omar Lopez: "OpenSSH-portable <= 3.6.1p1 bug?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 13 May 2003 15:05:19 -0400 To: Omar Lopez <magura@ardilla.dyndns.org>
I think this explains it pretty well: (it's under section 3. of the advisory
you posted).
<blockquote>
NOTE. FreeBSD uses both a different PAM implementation and a different PAM
support in OpenSSH: it doesn't seem to be vulnerable to this particular timing
leak issue.
All OpenSSH-portable releases <= OpenSSH_3.6.1p1 compiled with PAM support
enabled (./configure --with-pam) are vulnerable to this information leak. The
PAMAuthenticationViaKbdInt directive doesn't need to be enabled in sshd_config.
</blockquote>
Howevever, it lists MACOSX as "unconfirmed". I thought MACOSX used
the FreeBSD ssh implementation.
On Mon, May 12, 2003 at 11:31:03PM +0200, Omar Lopez wrote:
> Hi:
> I Read these security advisory.
> http://lab.mediaservice.net/advisory/2003-01-openssh.txt
> Is my FreeBSD 5.0 afected? What other versions are afected?
>
> Thanks.
>
-- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Michael Collette: "Re: [Fwd: Re: Down the MPD road]"
- In reply to: Omar Lopez: "OpenSSH-portable <= 3.6.1p1 bug?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
