Date: Wed, 26 Jun 2002 11:10:44 -0400 From: Mike Tancsa <mike@sentex.net> To: Darren Reed <avalon@coombs.anu.edu.au> Cc: freebsd-security@FreeBSD.ORG Subject: Re: OpenSSH Advisory (was Re: Much ado about nothing.) Message-ID: <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> In-Reply-To: <200206261452.AAA26617@caligula.anu.edu.au> References: <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:52 AM 27/06/2002 +1000, Darren Reed wrote:
> >From the OpenSSH 3.4 announcement:
>
>Changes since OpenSSH 3.3:
>============================
>
>Security Changes:
>=================
>
> All versions of OpenSSH's sshd between 2.9.9 and 3.3
> contain an input validation error that can result in
OK, but 2.9.9... is that really the same as FreeBSD's
SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20020307
Also, the ISS advisory states
"Administrators can remove this vulnerability by disabling the
Challenge-Response authentication parameter within the OpenSSH daemon
configuration file. This filename and path is typically:
/etc/ssh/sshd_config. To disable this parameter, locate the corresponding
line and change it to the line below: ChallengeResponseAuthentication no "
This would imply there is a work around, but the talk before hand
----quote from Message-Id: <200206242327.g5ONRBLI012690@cvs.openbsd.org>---
Bullshit.
You have been told to move up to privsep so that you are immunized by
the time the bug is released.
If you fail to immunize your users, then the best you can do is tell
them to disable OpenSSH until 3.4 is out early next week with the
bugfix in it. Of course, then the bug will be public.
----end-quote---
---Mike
>In some mail from Mike Tancsa, sie said:
> >
> >
> > Can someone confirm for me that the quote,
> >
> > ----------
> > Impact:
> >
> > OpenBSD, FreeBSD-Current, and other OpenSSH implementations may be
> > vulnerable to a remote, superuser compromise.
> >
> > Affected Versions:
> >
> > OpenBSD 3.0
> > OpenBSD 3.1
> > FreeBSD-Current
> > OpenSSH 3.0-3.2.3
> >
> > ------------end quote-------------
> >
> > would imply that the version 2.9 in STABLE is not vulnerable ?
> >
> >
> >
> > At 07:23 AM 26/06/2002 -0700, Benjamin Krueger wrote:
> >
> > >http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584
> > >
> > >Regards,
> > >
> > >--
> > >Benjamin Krueger
> > >
> > >"Life is far too important a thing ever to talk seriously about."
> > >- Oscar Wilde (1854 - 1900)
> > >----------------------------------------------------------------
> > >Send mail w/ subject 'send public key' or query for (0x251A4B18)
> > >Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18
> > >
> > >To Unsubscribe: send mail to majordomo@FreeBSD.org
> > >with "unsubscribe freebsd-security" in the body of the message
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20020626110043.0522ded8>