Re: Upcoming OpenSSH Remote Exploit
From: Bernd Eckenfels (ecki-news2002-06@lina.inka.de)Date: 06/27/02
- Next message: sakky: "Re: subjective Q. - what's the most secure OS?"
- Previous message: Faux_Pseudo: "Re: "proving" a user received an email (good gosh)"
- In reply to: Juergen P. Meier: "Re: Upcoming OpenSSH Remote Exploit"
- Next in thread: Todd Knarr: "Re: Upcoming OpenSSH Remote Exploit"
- Reply: Todd Knarr: "Re: Upcoming OpenSSH Remote Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Bernd Eckenfels <ecki-news2002-06@lina.inka.de> Date: 27 Jun 2002 03:07:33 GMT
Juergen P. Meier <news@jors.net> wrote:
> PrivSep has apparently nothing to do with this whatsoever.
Privsep does limit the impact (no remote root exploit)
> So the Fix would be to eigther disable these two options or to upgrade
> to OpenSSH 3.4, which has just been released on http://www.openssh.org/
According to the Advisory it is not enough to only turn the options off,
because there are more problems in the 3.4 patch solved which could be also
exploited:
At least PAMAuthenticationViaKbdInt needs to be disabled, too. (openssh
advisory)
openssh.org:
The 3.4 release contain many other fixes done over a week long audit started
when this issue came to light. We believe that some of those fixes are
likely to be important security fixes. Therefore, we urge an upgrade to 3.4.
> Disable ChallengeResponseAuthentication in sshd-config when running
> non-BSD Unix systems (Linux, Solaris, HP/UX...) and be fine.
nope
Greetings
Bernd
- Next message: sakky: "Re: subjective Q. - what's the most secure OS?"
- Previous message: Faux_Pseudo: "Re: "proving" a user received an email (good gosh)"
- In reply to: Juergen P. Meier: "Re: Upcoming OpenSSH Remote Exploit"
- Next in thread: Todd Knarr: "Re: Upcoming OpenSSH Remote Exploit"
- Reply: Todd Knarr: "Re: Upcoming OpenSSH Remote Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
