From: Bob Vickers (bobv@cs.rhul.ac.uk)
Date: Wed Jun 26 2002 - 11:56:35 EDT
Dear All,
Barely was my message out before the situation changed again...see
www.openssh.org, which has just come clean about the vulnerability,
and also announces 3.4p1.
It turns out there is a trivial solution if you don't need the challenge-
response authentication mechanism. Just include
ChallengeResponseAuthentication no
in your sshd_config file and restart sshd.
Also it appears that privilege separation still doesn't work with
3.4p1. But 3.4p1 still gives you protection against the known bug.
I'm not issuing any more summaries whatever happens!!! Look at the
bugtraq mailing list archive or www.openssh.org if you are interested.
Regards,
Bob
-- ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:48:44 EDT