Date: Mon, 24 Jun 2002 14:54:39 -0700 From: Jason DiCioccio <geniusj@bluenugget.net> To: freebsd-security@freebsd.org Subject: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <2147483647.1024930479@[192.168.4.154]>
next in thread | raw e-mail | index | archive | help
---------- Forwarded Message ---------- Date: Monday, June 24, 2002 11:06 PM +0200 From: Markus Friedl <markus@openbsd.org> To: openssh-unix-announce@mindrot.org, openssh-unix-dev@mindrot.org Subject: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote: > Date: Mon, 24 Jun 2002 15:00:10 -0600 > From: Theo de Raadt <deraadt@cvs.openbsd.org> > Subject: Upcoming OpenSSH vulnerability > To: bugtraq@securityfocus.com > Cc: announce@openbsd.org > Cc: dsi@iss.net > Cc: misc@openbsd.org > > There is an upcoming OpenSSH vulnerability that we're working on with > ISS. Details will be published early next week. > > However, I can say that when OpenSSH's sshd(8) is running with priv > seperation, the bug cannot be exploited. > > OpenSSH 3.3p was released a few days ago, with various improvements > but in particular, it significantly improves the Linux and Solaris > support for priv sep. However, it is not yet perfect. Compression is > disabled on some systems, and the many varieties of PAM are causing > major headaches. > > However, everyone should update to OpenSSH 3.3 immediately, and enable > priv seperation in their ssh daemons, by setting this in your > /etc/ssh/sshd_config file: > [...] > > OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away. > On OpenBSD privsep works flawlessly, and I have reports that is also > true on NetBSD. All other systems appear to have minor or major > weaknesses when this code is running. I know theo did not mention FreeBSD, but does anyone know for sure if FreeBSD is one of the platforms with major/minor weaknesses in the privsep code? And if it is major, or minor? ;-) Cheers, -JD- -- Jason DiCioccio - jd@bluenugget.net - Useless .sig Open Domain Service - geniusj@ods.org - http://www.ods.org/ Ruby - jd@ruby-lang.org - http://www.ruby-lang.org/ PGP Fingerprint - C442 04E2 26B0 3809 8357 96AB D350 9596 0436 7C08 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2147483647.1024930479>