Date: Tue, 14 Dec 1999 20:52:00 -0800 From: "Michael Bryan" <fbsd-security@ursine.com> To: freebsd-security@FreeBSD.ORG Subject: Re: CERT released RSAREF bulletin Message-ID: <199912142052000380.09DCA719@quaggy.ursine.com> In-Reply-To: <199912150404.WAA28271@alecto.physics.uiuc.edu>
index | next in thread | previous in thread | raw e-mail
>I've noticed that the patch just changed from its Dec.2 version. >Does it mean that the rsaref2 (and therefore the software based on it) >as of Dec.2-Dec.13 is/was still vulnerable, >or this is more of a aesthetic change for the sake of the patch elegancy ? If I recall the BugTraq message on this correctly, the original RSAREF patch was not enough to catch all cases, but did close things down substantially. There was also a patch made to the port of ssh in mid-November (specifically rsaglue.c), and I think that fully closes the hole as well, but obviously only for ssh/sshd. Other users of RSAREF would still be vulnerable unless the RSAREF port is patched as well. As a final note, a BugTraq message said that somebody has coded an exploit for the bug as seen in sshd 1.2.27 and earlier, and they are about to release it to the world. It works on Linux and OpenBSD, giving the attacker root access. It will likely work against FreeBSD as well, possibly with minor modifications. Anybody who uses ssh 1.2.27 or earlier in combination with RSAREF needs to update things on their systems ASAP. (RSAREF is not the normal compilation of the ssh port, though.) Supposedly there is a 1.2.28 version of ssh in the works, but there's no sign of it just yet on their ftp server or web site. Michael Bryan fbsd-security@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the messagehelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912142052000380.09DCA719>