[Lugge] ssh vulnerability

  • From: "robang@xxxxxxxxx" <robang@xxxxxxxxx>
  • To: lugge@xxxxxxxxxxxxx
  • Date: Wed, 26 Jun 2002 17:40:21 +0200


 ci ricadiamo dentro vero?
 Ecco gia` bene!

Begin forwarded message:

Date: Wed, 26 Jun 2002 09:57:08 +0200
From: Simone Piunno <pioppo@xxxxxxxxxxxxxxxx>
To: Lista flug - FerraraLUG <flug@xxxxxxxxxxxxxxxx>
Subject: [flug] Upcoming OpenSSH vulnerability

Chi ha la porta 22 aperta è seriamente avvisato di upgradare 
il pacchetto openssh.

----- Forwarded message from Theo de Raadt -----

From: Theo de Raadt
Date: Mon, 24 Jun 2002 15:00:10 -0600
Subject: Upcoming OpenSSH vulnerability

There is an upcoming OpenSSH vulnerability that we're working on with
ISS.  Details will be published early next week.

However, I can say that when OpenSSH's sshd(8) is running with priv
seperation, the bug cannot be exploited.

OpenSSH 3.3p was released a few days ago, with various improvements
but in particular, it significantly improves the Linux and Solaris
support for priv sep.  However, it is not yet perfect.  Compression is
disabled on some systems, and the many varieties of PAM are causing
major headaches.

However, everyone should update to OpenSSH 3.3 immediately, and enable
priv seperation in their ssh daemons, by setting this in your
/etc/ssh/sshd_config file:

        UsePrivilegeSeparation yes

Depending on what your system is, privsep may break some ssh
functionality.  However, with privsep turned on, you are immune from
at least one remote hole.  Understand?

Roberto A. Foglietta
ë?f??Ç+?÷«z)æ?+-¥êßjú+zW ?(¥­è(?©??Ú!¶Úþ[ ?ìâ¡»?u©Þ·û(r/æjx?zËh?Ù¥?Ë@­Èb¾*zY^zf¢??,µ«^?yb²Ö¡¶Úÿ

Other related posts: