Date: Sun, 2 Dec 2001 20:01:30 -0600 From: "Jacques A. Vidrine" <n@nectar.com> To: freebsd-security@freebsd.org Subject: Fwd: [cvs commit: src/crypto/openssh session.c] Message-ID: <20011203020130.GA99399@madman.nectar.com>
next in thread | raw e-mail | index | archive | help
Hello, There will be a security advisory released for this within the next day or two. Meanwhile, here's the short version: If you are running an OpenSSH server with `UseLogin yes', then an otherwise legitimate user of your system may be able to execute arbitrary code as root. By default, OpenSSH runs with `UseLogin no', so you probably have nothing to worry about unless you've changed that. Cheers, -- Jacques A. Vidrine <n@nectar.com> http://www.nectar.com/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se ----- Forwarded message from Jacques Vidrine <nectar@FreeBSD.org> ----- Date: Sun, 2 Dec 2001 16:51:47 -0800 (PST) From: Jacques Vidrine <nectar@FreeBSD.org> To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/crypto/openssh session.c nectar 2001/12/02 16:51:47 PST Modified files: crypto/openssh session.c Log: Do not pass user-defined environmental variables to /usr/bin/login. Obtained from: OpenBSD Approved by: green Revision Changes Path 1.18 +2 -0 src/crypto/openssh/session.c ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011203020130.GA99399>