Date: Tue, 7 Jan 2003 00:19:26 +0100 From: "Maxence Rousseau" <mrousseau@k-meleon.com> To: <freebsd-security@FreeBSD.ORG> Subject: FAKE Fw: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS Message-ID: <003a01c2b5da$0e5ab9c0$2101a8c0@PestifereWin2k>
next in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Global InterSec Research" <lists@globalintersec.com> To: <bugtraq@securityfocus.com> Sent: Monday, January 06, 2003 9:05 PM Subject: Re: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS > > As some may have gathered, the advisory recently posted by mmhs@hushmail.com > was indeed a fake, intended to highlight several unclear statements made in GIS2002062801. > > The advisory in question is currently being updated with more detailed information and will be > re-posted at: http://www.globalintersec.com/adv/openssh-2002062801.txt as soon as it becomes > available. > > Note that the kbd-init flaw described in GIS2002062801 was proven to be exploitable in our lab > although not all evidence to demonstrate this was provided in the original advisory. A mistake > was made in the original advisory draft, where chunk content data was shown, rather than the > entire corrupted malloc chunk. This will be amended in the revision. > > Also note that to our knowledge there are currently no known, exploitable flaws in OpenSSH 3.5p1, > due to its use of PAM as suggested by mmhs@hushmail.com. It is almost certain that the posted > bogus advisory was also intended to cause alarm amongst communities using OpenSSH, through > miss-information. > > > Global InterSec LLC. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003a01c2b5da$0e5ab9c0$2101a8c0>