Re: OpenSSH: multiple vulnerabilities in the new PAM code

From: Jacques A. Vidrine (nectar_at_FreeBSD.org)
Date: 09/24/03

  • Next message: Michael Sierchio: "Possible (or possibly painful) workaround for FreeBSD-SA-03:14.arp" 
    Date: Wed, 24 Sep 2003 10:32:04 -0500
To: D J Hawkey Jr <hawkeyd@visi.com>

    On Wed, Sep 24, 2003 at 09:27:17AM -0500, D J Hawkey Jr wrote:
    > On Sep 24, at 09:20 AM, Jacques A. Vidrine wrote:
    > >
    > > On Wed, Sep 24, 2003 at 11:16:03AM +0200, Sheldon Hearn wrote:
    > > > On (2003/09/23 16:53), Haesu wrote:
    > > >
    > > > > Oh jee, here we go again. Hey, at least patched 3.5p1 on FreeBSD
    > > > > 4.8/4.9 are not effected :)
    > > >
    > > > Since -CURRENT's using a modified OpenSSH_3.6.1p1, I don't think this
    > > > issue affects FreeBSD at all.
    > >
    > > Unfortunately, it _does_ affect us. The PAM code in OpenSSH 3.7x was
    > > taken from FreeBSD's PAM code. des@ is working the issue now.
    >
    > But just "portable", right?

    No, not just OpenSSH-portable.

    > Or are any "core" OpenSSHes across various
    > FreeBSD releases also vulnerable?

    I'm only talking about the base system OpenSSH above (which is based
    on OpenSSH-portable), but both `openssh' and `openssh-portable' in the
    Ports Collection are likely affected, as they contain the same code
    (brought in by the port maintainer).

    Cheers, 

    -- 
Jacques Vidrine   . NTT/Verio SME      . FreeBSD UNIX       . Heimdal
nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Michael Sierchio: "Possible (or possibly painful) workaround for FreeBSD-SA-03:14.arp"

    Relevant Pages

    • FreeBSD Security Advisory FreeBSD-SA-03:15.openssh
      ... For general information regarding FreeBSD Security Advisories, ... OpenSSH is a free version of the SSH protocol suite of network ... The ssh2 protocol supports a wide range of authentication ... Its challenge / response mechanisms, ...
      (Bugtraq)
    • [Full-Disclosure] FreeBSD Security Advisory FreeBSD-SA-03:15.openssh
      ... For general information regarding FreeBSD Security Advisories, ... OpenSSH is a free version of the SSH protocol suite of network ... The ssh2 protocol supports a wide range of authentication ... Its challenge / response mechanisms, ...
      (Full-Disclosure)
    • FreeBSD Security Advisory FreeBSD-SA-03:15.openssh
      ... For general information regarding FreeBSD Security Advisories, ... OpenSSH is a free version of the SSH protocol suite of network ... The ssh2 protocol supports a wide range of authentication ... Its challenge / response mechanisms, ...
      (FreeBSD-Security)
    • [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:15.openssh
      ... For general information regarding FreeBSD Security Advisories, ... OpenSSH is a free version of the SSH protocol suite of network ... The ssh2 protocol supports a wide range of authentication ... Its challenge / response mechanisms, ...
      (freebsd-announce)
    • Re: [Full-Disclosure] MacOSX -FreeBSD
      ... BUT because OSX is partially FreeBSD based ... Category: core, ports ... OpenSSH is a free version of the SSH protocol suite of network ... overflow vulnerability ...
      (Full-Disclosure)