(FIXED!!) SUMMARY(2): priv separation and OpenSSH vulnerability

From: Tru64 User (tru64user@yahoo.com)
Date: Wed Jun 26 2002 - 11:33:00 EDT

• Next message: Joerg Bruehe: ""xargs" generating lines shorter than ARG_MAX"
• Previous message: Bob Vickers: "SUMMARY(2): priv separation and OpenSSH vulnerability"
• In reply to: Bob Vickers: "SUMMARY(2): priv separation and OpenSSH vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

http://openssh.org

Just posted!!

OpenSSH 3.4 released June 26, 2002.
Contains support for SSH1 and SSH2 protocols.

At least one major security vulnerability exists in
many deployed OpenSSH versions (2.9.9 to 3.3). Please
see the ISS advisory, or our own OpenSSH advisory on
this topic where simple patches are provided for the
pre-authentication problem. Systems running with
UsePrivilegeSeparation yes or
ChallengeResponseAuthentication no are not affected.

The 3.4 release contain many other fixes done over a
week long audit started when this issue came to light.
We believe that some of those fixes are likely to be
important security fixes. Therefore, we urge an
upgrade to 3.4.

--- Bob Vickers <bobv@cs.rhul.ac.uk> wrote:
> Dear All,
>
> As the situation is fairly fluid I'll issue another
> summary.
>
> At present I believe there is nothing Tru64 users
> can do to fix the
> OpenSSH vulnerability, because as far as I know
> nobody has managed to get the
> privilege separation feature of OpenSSH 3.3p1
> working. This applies
> whether or not you have C2-security enabled.
>
> However, things should improve next week. A news
> item at
> www.openssh.org says "keep an eye out for the
> upcoming OpenSSH 3.4
> release on Monday that fixes the vulnerability
> itself". So as of next
> week you should be able to fix the bug without
> needing the privilege
> separation feature.
>
> Nevertheless, the privilege separation feature is
> highly desirable because it
> protects you against bugs that have not yet been
> discovered. Chris
> Adams reports that "the next release of OpenSSH will
> automatically
> turn off privsep for the post authentication phase,
> so it should work
> on all Tru64 with privsep enabled".
>
> Thanks to the many people who have responded.
>
> Regards,
> Bob
> --
>
==============================================================
> Bob Vickers
> R.Vickers@cs.rhul.ac.uk
> Dept of Computer Science, Royal Holloway, University
> of London
> WWW: http://www.cs.rhul.ac.uk/home/bobv
>

=====

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

• Next message: Joerg Bruehe: ""xargs" generating lines shorter than ARG_MAX"
• Previous message: Bob Vickers: "SUMMARY(2): priv separation and OpenSSH vulnerability"
• In reply to: Bob Vickers: "SUMMARY(2): priv separation and OpenSSH vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:48:44 EDT