Date: Tue, 14 Dec 1999 20:52:00 -0800 From: "Michael Bryan" <fbsd-security@ursine.com> To: freebsd-security@FreeBSD.ORG Subject: Re: CERT released RSAREF bulletin Message-ID: <199912142052000380.09DCA719@quaggy.ursine.com> In-Reply-To: <199912150404.WAA28271@alecto.physics.uiuc.edu> References: <199912150404.WAA28271@alecto.physics.uiuc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
>I've noticed that the patch just changed from its Dec.2 version. >Does it mean that the rsaref2 (and therefore the software based on it) >as of Dec.2-Dec.13 is/was still vulnerable, >or this is more of a aesthetic change for the sake of the patch elegancy ? If I recall the BugTraq message on this correctly, the original RSAREF= patch was not enough to catch all cases, but did close things down substantially. There was also a patch made to the port of ssh in mid-November= (specifically rsaglue.c), and I think that fully closes the hole as well, but obviously only for ssh/sshd. Other users of RSAREF would still be vulnerable unless the RSAREF port is patched as well. As a final note, a BugTraq message said that somebody has coded an exploit for the bug as seen in sshd 1.2.27 and earlier, and they are about to= release it to the world. It works on Linux and OpenBSD, giving the attacker root= access. It will likely work against FreeBSD as well, possibly with minor= modifications. Anybody who uses ssh 1.2.27 or earlier in combination with RSAREF needs to= update things on their systems ASAP. (RSAREF is not the normal compilation of the= ssh port, though.) Supposedly there is a 1.2.28 version of ssh in the works, but there's no= sign of it just yet on their ftp server or web site. Michael Bryan fbsd-security@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912142052000380.09DCA719>