Re: new unpublished SSH exploit ?

From: Nico Kadel-Garcia (nkadel_at_verizon.net)
Date: 09/19/03

  • Next message: dany: "Connexion problem with OpenSSH 3.7.1P1 and 3.7.P1"
    Date: Fri, 19 Sep 2003 05:26:54 GMT
    
    

    Mungo wrote:
    > jlk@btclick.com (Jim Kissel) wrote in
    > news:3f697097.2741472519@news.btclick.com:
    >
    >
    >>Any suggestion for patching a RH 7.0?
    >>Tried to build from source but failed to compile.
    >
    >
    >
    > Why? Several users report that the rpm for 7.1 works for 7.0 as well, if
    > you kept up with the patches for 7.0 while it was still supported. Ditto
    > for the sendmail fix.

    Definitely use the RPM's. Unfortunately, doing this messes up the auto
    update tools, which will lose track of other updates for 7.0 which may
    have slightly lower version numbers than the 7.1 updates, and you'll
    have to monitor the 7.1 updates separately for security patches. One can
    *lie* to the .spec files about the version number, which can keep such
    updates straight.

    Unfortunately, the versions of OpenSSH past 3.1 or so introduced that
    great source of unreliable, untested, incompatible, and fractured code
    in the name of "enhanced security" known as "privilege separation", a
    bit of chroot tapdancing to prevent even the potential of certain
    classes of root exploits that don't seem to exist in the wild that I've
    ever seen. And it's made the code somewhat unstable, particularly for
    platforms other than the OpenBSD that is OpenSSH's primary source and
    build environment, even though the number of OpenSSH Linux users
    outnumber them by a huge factor. (There are reasons for this: OpenBSD
    has much better overall integration and quality control than Linux
    *because* of their cautious code review and tight environmental control.)


  • Next message: dany: "Connexion problem with OpenSSH 3.7.1P1 and 3.7.P1"