Date: Tue, 16 Sep 2003 13:54:17 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: Brett Glass <brett@lariat.org> Cc: freebsd-security@FreeBSD.org Subject: Re: OpenSSH heads-up Message-ID: <20030916185417.GA6885@madman.celabo.org> In-Reply-To: <4.3.2.7.2.20030916124550.02a55970@localhost> References: <4.3.2.7.2.20030916123558.02cfdef0@localhost> <20030916134347.GA30359@madman.celabo.org> <4.3.2.7.2.20030916123558.02cfdef0@localhost> <4.3.2.7.2.20030916124550.02a55970@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 16, 2003 at 12:49:23PM -0600, Brett Glass wrote: > Interesting. > > I could scan the source, but perhaps you already have and can answer > the following questions: > > 1. Could the bug be exploited by someone who had not authenticated > with the server? > > 2. Can it be worked around by changing the configuration until one > has time to patch? (You mention that it's an SSH2 exploit; perhaps > one can disable SSH2 and use SSH1 in the interim?) AFAICT, you need not authenticate, it is not specific to protocol version 2, and there is no workaround. -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030916185417.GA6885>