Re: new unpublished SSH exploit ?
From: Nico Kadel-Garcia (nkadel_at_verizon.net)
Date: Fri, 19 Sep 2003 05:26:54 GMT
> firstname.lastname@example.org (Jim Kissel) wrote in
>>Any suggestion for patching a RH 7.0?
>>Tried to build from source but failed to compile.
> Why? Several users report that the rpm for 7.1 works for 7.0 as well, if
> you kept up with the patches for 7.0 while it was still supported. Ditto
> for the sendmail fix.
Definitely use the RPM's. Unfortunately, doing this messes up the auto
update tools, which will lose track of other updates for 7.0 which may
have slightly lower version numbers than the 7.1 updates, and you'll
have to monitor the 7.1 updates separately for security patches. One can
*lie* to the .spec files about the version number, which can keep such
Unfortunately, the versions of OpenSSH past 3.1 or so introduced that
great source of unreliable, untested, incompatible, and fractured code
in the name of "enhanced security" known as "privilege separation", a
bit of chroot tapdancing to prevent even the potential of certain
classes of root exploits that don't seem to exist in the wild that I've
ever seen. And it's made the code somewhat unstable, particularly for
platforms other than the OpenBSD that is OpenSSH's primary source and
build environment, even though the number of OpenSSH Linux users
outnumber them by a huge factor. (There are reasons for this: OpenBSD
has much better overall integration and quality control than Linux
*because* of their cautious code review and tight environmental control.)