From owner-freebsd-stable Wed Jun 26 10:18:56 2002 Delivered-To: freebsd-stable@freebsd.org Received: from ns1.datatrade.com (ns1.datatrade.com [64.19.45.227]) by hub.freebsd.org (Postfix) with ESMTP id ACBF737B4DE for ; Wed, 26 Jun 2002 10:15:34 -0700 (PDT) Received: from beastie.datatrade.off (beastie.datatrade.off [192.168.1.250]) by ns1.datatrade.com (8.12.2/8.12.2/Debian -5) with ESMTP id g5QHCBo0032276; Wed, 26 Jun 2002 12:12:11 -0500 Date: Wed, 26 Jun 2002 12:15:00 -0500 From: Samuel Kesterson To: Scott Dodson Cc: freebsd-stable@freebsd.org Subject: Re: OpenSSH Message-ID: <20020626171500.GS1961@beastie.datatrade.off> Reply-To: freebsd-stable@k-labs.com References: <20020626161024.GQ1961@beastie.datatrade.off> <20020626164115.GA20787@sdodson.dns2go.com> Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset=ISO-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20020626164115.GA20787@sdodson.dns2go.com>; from gsi22419@gsaix2.cc.gasou.edu on Wed, Jun 26, 2002 at 11:41:15 -0500 X-Mailer: Balsa 1.3.5 Lines: 36 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Correction -- According to ISS 3.0-3.2.3 are vulnerable. Yes, the ISS bug report is why I was asking. In the interest of accuracy though, 3.3 is vulnerable, but it's not the only version. The main point though is that 3.3 contains the "Privilege Separation" code (http://www.citi.umich.edu/u/provos/ssh/privsep.html), which renders the ISS Challenge bug unexploitable (We hope :-) ). My -stable box says "SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20020307", so perhaps -stable is not vulnerable? I haven't had time to investigate very deeply. I mostly asked because I think that PrivSep is a *great* improvement. Personally, I feel the less code that runs as UID=0, the better. But, just my $0.02 ... On 2002.06.26 11:41 Scott Dodson wrote: > If this is in response to the ISS exploit, it should be noted that the > OpenSSH version with 4.6-Release should not be affected. Atleast this > is what I can tell based on the fact that the bug was reported as > being > in 3.3. > > > -- > Scott Dodson PGP KEY id 0x5F9A9E5E > sdodson@sdodson.com > > ~~ Samuel Kesterson freebsd-stable@k-labs.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message