Date: Wed, 28 Nov 2001 23:04:02 -0700 From: Brett Glass <brett@lariat.org> To: "f.johan.beisser" <jan@caustic.org> Cc: Mauro Dias <localhost@dsgx.org>, <security@FreeBSD.ORG> Subject: Re: sshd exploit Message-ID: <4.3.2.7.2.20011128225341.04672880@localhost> In-Reply-To: <20011128214925.P16958-100000@localhost> References: <4.3.2.7.2.20011128221259.04665720@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:52 PM 11/28/2001, f.johan.beisser wrote: >how long have you known of it? frankly, this is the first i've heard about >it, let alone the exploit binary. I reposted a report by Dave Dittrich to this list about two weeks ago. CERT has also had it on its Web page for a while now. To sum it up in a few sentences: Old versions of SSH have been hacked through the SSHv1 protocol, and the vulnerable code was adopted by OpenSSH, so older versions of that are vulnerable too. My recommendation: compile and install OpenSSH 3.0.1p1. Or, if you need some of the special integration that's been done in the Ports Collection, use the latest version that's there (2.9.something the last time I looked). FreeBSD 4.4-RELEASE shipped with OpenSSH 2.3.0, which may be OK (I'm not sure just when they fixed the problem). --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20011128225341.04672880>