Vulnerability in OpenSSH

From: Sandor W. Sklar (ssklar@STANFORD.EDU)
Date: Tue Jun 25 2002 - 15:55:53 EDT

• Next message: Jolet, John: "Re: how to update cron daemon without crontab -e?"
• Previous message: John F Riordan: "Daily PDT Reports"
• Next in thread: Tom Syroid: "Re: Vulnerability in OpenSSH"
• Reply: Tom Syroid: "Re: Vulnerability in OpenSSH"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Folks,

For those AIXers who are unaware, it appears that, early next week,
details of a root exploit in OpenSSH will be made public. The only
suggested protection against this vulnerability is to upgrade to the
recently released OpenSSH version 3.3.

That release contains new functionality called "Privilege
Separation"; unfortunately, PrivSep does not work on AIX in that
release version. According to members of the openssh-unix-dev
mailing list, the current CVS version of OpenSSH has a fix in it for
the AIX problem.

For more information about all of the above, I'd suggest checking out
<http://www.openssh.com>; note that the webpage says that 3.4 will be
out on Monday, but I'm assuming that is the OpenBSD-only release, not
the portable one needed for AIX.

-S-

--
   Sandor W. Sklar  -  Unix Systems Administrator  -  Stanford University ITSS
   Non impediti ratione cogitationis.     http://whippet.stanford.edu/~ssklar/

• Next message: Jolet, John: "Re: how to update cron daemon without crontab -e?"
• Previous message: John F Riordan: "Daily PDT Reports"
• Next in thread: Tom Syroid: "Re: Vulnerability in OpenSSH"
• Reply: Tom Syroid: "Re: Vulnerability in OpenSSH"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:16:01 EDT