From owner-freebsd-security Wed Nov 28 22: 4:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id F04C337B427 for ; Wed, 28 Nov 2001 22:04:28 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id XAA29970; Wed, 28 Nov 2001 23:04:05 -0700 (MST) Message-Id: <4.3.2.7.2.20011128225341.04672880@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 28 Nov 2001 23:04:02 -0700 To: "f.johan.beisser" From: Brett Glass Subject: Re: sshd exploit Cc: Mauro Dias , In-Reply-To: <20011128214925.P16958-100000@localhost> References: <4.3.2.7.2.20011128221259.04665720@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:52 PM 11/28/2001, f.johan.beisser wrote: >how long have you known of it? frankly, this is the first i've heard about >it, let alone the exploit binary. I reposted a report by Dave Dittrich to this list about two weeks ago. CERT has also had it on its Web page for a while now. To sum it up in a few sentences: Old versions of SSH have been hacked through the SSHv1 protocol, and the vulnerable code was adopted by OpenSSH, so older versions of that are vulnerable too. My recommendation: compile and install OpenSSH 3.0.1p1. Or, if you need some of the special integration that's been done in the Ports Collection, use the latest version that's there (2.9.something the last time I looked). FreeBSD 4.4-RELEASE shipped with OpenSSH 2.3.0, which may be OK (I'm not sure just when they fixed the problem). --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message