Date: Fri, 26 Sep 2003 11:38:54 -0400 From: Mike Tancsa <mike@sentex.net> To: security@freebsd.org Subject: Re: OpenSSH: multiple vulnerabilities in the new PAM code Message-ID: <6.0.0.22.0.20030926113652.07ffbe88@209.112.4.2> In-Reply-To: <20030924153204.GE57702@madman.celabo.org> References: <3F705D4D.4070404@tenebras.com> <20030923205318.GB3346@scylla.towardex.com> <20030924091603.GC22622@starjuice.net> <20030924142015.GC57288@madman.celabo.org> <20030924142717.GA9026@sheol.localdomain> <20030924153204.GE57702@madman.celabo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
Are there plans for an updated advisory ? In the mean time, I take
it the same build instructions apply ?
---Mike
At 11:32 AM 24/09/2003, Jacques A. Vidrine wrote:
>On Wed, Sep 24, 2003 at 09:27:17AM -0500, D J Hawkey Jr wrote:
> > On Sep 24, at 09:20 AM, Jacques A. Vidrine wrote:
> > >
> > > On Wed, Sep 24, 2003 at 11:16:03AM +0200, Sheldon Hearn wrote:
> > > > On (2003/09/23 16:53), Haesu wrote:
> > > >
> > > > > Oh jee, here we go again. Hey, at least patched 3.5p1 on FreeBSD
> > > > > 4.8/4.9 are not effected :)
> > > >
> > > > Since -CURRENT's using a modified OpenSSH_3.6.1p1, I don't think this
> > > > issue affects FreeBSD at all.
> > >
> > > Unfortunately, it _does_ affect us. The PAM code in OpenSSH 3.7x was
> > > taken from FreeBSD's PAM code. des@ is working the issue now.
> >
> > But just "portable", right?
>
>No, not just OpenSSH-portable.
>
> > Or are any "core" OpenSSHes across various
> > FreeBSD releases also vulnerable?
>
>I'm only talking about the base system OpenSSH above (which is based
>on OpenSSH-portable), but both `openssh' and `openssh-portable' in the
>Ports Collection are likely affected, as they contain the same code
>(brought in by the port maintainer).
>
>Cheers,
>--
>Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal
>nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
>_______________________________________________
>freebsd-security@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.0.22.0.20030926113652.07ffbe88>