Date: Mon, 24 Jun 2002 16:20:40 -0600 From: "Dalin S. Owen" <dowen@nexusxi.com> To: Jason DiCioccio <geniusj+categories.replies@bluenugget.net> Cc: freebsd-security@freebsd.org Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020624162040.A280@nexusxi.com> In-Reply-To: <2147483647.1024930479@[192.168.4.154]>; from geniusj@bluenugget.net on Mon, Jun 24, 2002 at 02:54:39PM -0700 References: <2147483647.1024930479@[192.168.4.154]>
next in thread | previous in thread | raw e-mail | index | archive | help
--8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable FreeBSD's OpenSSH is too old, it doesn't have PrivSep.. :( So firewall you= r port 22 guys. :) On Mon, Jun 24, 2002 at 02:54:39PM -0700, Jason DiCioccio wrote: > ---------- Forwarded Message ---------- > Date: Monday, June 24, 2002 11:06 PM +0200 > From: Markus Friedl <markus@openbsd.org> > To: openssh-unix-announce@mindrot.org, openssh-unix-dev@mindrot.org > Subject: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability >=20 > On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote: > > Date: Mon, 24 Jun 2002 15:00:10 -0600 > > From: Theo de Raadt <deraadt@cvs.openbsd.org> > > Subject: Upcoming OpenSSH vulnerability > > To: bugtraq@securityfocus.com > > Cc: announce@openbsd.org > > Cc: dsi@iss.net > > Cc: misc@openbsd.org > > > > There is an upcoming OpenSSH vulnerability that we're working on with > > ISS. Details will be published early next week. > > > > However, I can say that when OpenSSH's sshd(8) is running with priv > > seperation, the bug cannot be exploited. > > > > OpenSSH 3.3p was released a few days ago, with various improvements > > but in particular, it significantly improves the Linux and Solaris > > support for priv sep. However, it is not yet perfect. Compression is > > disabled on some systems, and the many varieties of PAM are causing > > major headaches. > > > > However, everyone should update to OpenSSH 3.3 immediately, and enable > > priv seperation in their ssh daemons, by setting this in your > > /etc/ssh/sshd_config file: > > > [...] > > > > OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away. > > On OpenBSD privsep works flawlessly, and I have reports that is also > > true on NetBSD. All other systems appear to have minor or major > > weaknesses when this code is running. >=20 > I know theo did not mention FreeBSD, but does anyone know for sure if=20 > FreeBSD is one of the platforms with major/minor weaknesses in the privse= p=20 > code? And if it is major, or minor? ;-) >=20 > Cheers, > -JD- >=20 > -- > Jason DiCioccio - jd@bluenugget.net - Useless .sig > Open Domain Service - geniusj@ods.org - http://www.ods.org/ > Ruby - jd@ruby-lang.org - http://www.ruby-lang.org/ >=20 > PGP Fingerprint - C442 04E2 26B0 3809 8357 96AB D350 9596 0436 7C08 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 Regards, Dalin S. Owen Nexus XI Corp. Email: dowen@nexusxi.com Web: http://www.nexusxi.com/ --8t9RHnE3ZwKMSgU+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj0XmzcACgkQKZhyFXMVXuItXgCgvsne444w3fsDPf22moHkBZd8 jDsAoL2+ahgcWCK4bs82rxORpjUBzs7/ =7oSb -----END PGP SIGNATURE----- --8t9RHnE3ZwKMSgU+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020624162040.A280>