Re: new unpublished SSH exploit ?

From: Nico Kadel-Garcia (nkadel_at_verizon.net)
Date: 09/19/03

  • Next message: dany: "Connexion problem with OpenSSH 3.7.1P1 and 3.7.P1" 
    Date: Fri, 19 Sep 2003 05:26:54 GMT

    Mungo wrote:
    > jlk@btclick.com (Jim Kissel) wrote in
    > news:3f697097.2741472519@news.btclick.com:
    >
    >
    >>Any suggestion for patching a RH 7.0?
    >>Tried to build from source but failed to compile.
    >
    >
    >
    > Why? Several users report that the rpm for 7.1 works for 7.0 as well, if
    > you kept up with the patches for 7.0 while it was still supported. Ditto
    > for the sendmail fix.

    Definitely use the RPM's. Unfortunately, doing this messes up the auto
    update tools, which will lose track of other updates for 7.0 which may
    have slightly lower version numbers than the 7.1 updates, and you'll
    have to monitor the 7.1 updates separately for security patches. One can
    *lie* to the .spec files about the version number, which can keep such
    updates straight.

    Unfortunately, the versions of OpenSSH past 3.1 or so introduced that
    great source of unreliable, untested, incompatible, and fractured code
    in the name of "enhanced security" known as "privilege separation", a
    bit of chroot tapdancing to prevent even the potential of certain
    classes of root exploits that don't seem to exist in the wild that I've
    ever seen. And it's made the code somewhat unstable, particularly for
    platforms other than the OpenBSD that is OpenSSH's primary source and
    build environment, even though the number of OpenSSH Linux users
    outnumber them by a huge factor. (There are reasons for this: OpenBSD
    has much better overall integration and quality control than Linux
    *because* of their cautious code review and tight environmental control.)

  • Next message: dany: "Connexion problem with OpenSSH 3.7.1P1 and 3.7.P1"

    Relevant Pages

    • Re: Secure systems
      ... > secure is it from the install, how quick do updates come, and how easy ... Look at the objectives of NetBSD and OpenBSD. ... OpenBSD is very, very, very secure from the install. ... However, for servers I prefer debian linux, since with 2 commands the ...
      (comp.os.linux.security)
    • Re: Remotely run a program, display on console
      ... > It's not that i expect any problems, it's just that a new install ... I'm just interested in security updates for the latest stable ... On a lark, I installed OpenBSD ... just took it offline with 100 concurrent requests. ...
      (comp.unix.bsd.openbsd.misc)
    • Re: smtpscanner for obsd?
      ... it did not survive the required version updates. ... Amavis (in ... Version 3.something of OpenBSD to version 3.something+1. ... running closed source programs on an open source OS? ...
      (comp.unix.bsd.openbsd.misc)
    • Re: new unpublished SSH exploit ?
      ... which will lose track of other updates for 7.0 which may ... even though the number of OpenSSH Linux users ... OpenBSD ... *because* of their cautious code review and tight environmental control.) ...
      (comp.os.linux.security)