Date: Wed, 26 Jun 2002 18:08:42 -0700 From: Jason DiCioccio <geniusj@bluenugget.net> To: chris@aims.com.au, rwatson@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG Subject: RE: Wow Message-ID: <2147483647.1025114921@[192.168.4.154]> In-Reply-To: <012e01c21d6c$e16ce9c0$020aa8c0@aims.private> References: <012e01c21d6c$e16ce9c0$020aa8c0@aims.private>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Thursday, June 27, 2002 9:54 AM +1000 Chris Knight <chris@aims.com.au> wrote: [snip] > Isn't the merge a little bit hasty? According to the advisory, the > least intrusive change to -STABLE would be to uncomment the > ChallengeResponseAuthentication in /usr/src/crypto/openssh/sshd_config. > The PAM issues appear to only be in 2.9.9+. > Also, my understanding of the advisory is that the exploit hasn't been > fixed - it's just that Privilege Separation will limit the exploit to > a chrooted environment with minimal permissions. > Please correct me if I'm wrong. 3.4 is patched. I'm not sure if they're still doing 3.3p1 for -STABLE, but I wouldn't think so. If 3.4 will be the new version in FreeBSD, then that will patch this bug and some other while providing the benefit of privsep in addition. Cheers, -JD- -- Jason DiCioccio - jd@bluenugget.net - Useless .sig Open Domain Service - geniusj@ods.org - http://www.ods.org/ Ruby - jd@ruby-lang.org - http://www.ruby-lang.org/ PGP Fingerprint - C442 04E2 26B0 3809 8357 96AB D350 9596 0436 7C08 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2147483647.1025114921>