From owner-freebsd-security  Sun Dec  2 18: 1:33 2001
Delivered-To: freebsd-security@freebsd.org
Received: from gw.nectar.com (gw.nectar.com [208.42.49.153])
	by hub.freebsd.org (Postfix) with ESMTP id BEA0F37B416
	for <freebsd-security@freebsd.org>; Sun,  2 Dec 2001 18:01:30 -0800 (PST)
Received: from madman.nectar.com (madman.nectar.com [10.0.1.111])
	by gw.nectar.com (Postfix) with ESMTP id 51DDE2C
	for <freebsd-security@freebsd.org>; Sun,  2 Dec 2001 20:01:30 -0600 (CST)
Received: (from nectar@localhost)
	by madman.nectar.com (8.11.6/8.11.3) id fB321Uu99421
	for freebsd-security@freebsd.org; Sun, 2 Dec 2001 20:01:30 -0600 (CST)
	(envelope-from nectar)
Date: Sun, 2 Dec 2001 20:01:30 -0600
From: "Jacques A. Vidrine" <n@nectar.com>
To: freebsd-security@freebsd.org
Subject: Fwd: [cvs commit: src/crypto/openssh session.c]
Message-ID: <20011203020130.GA99399@madman.nectar.com>
Mail-Followup-To: "Jacques A. Vidrine" <n@nectar.com>,
	freebsd-security@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.23.1i
X-Url: http://www.nectar.com/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hello,

There will be a security advisory released for this within the next day
or two.   Meanwhile, here's the short version:

  If you are running an OpenSSH server with `UseLogin yes', then an
  otherwise legitimate user of your system may be able to execute
  arbitrary code as root.
  
  By default, OpenSSH runs with `UseLogin no', so you probably have
  nothing to worry about unless you've changed that.

Cheers,
-- 
Jacques A. Vidrine <n@nectar.com>                   http://www.nectar.com/
NTT/Verio SME           .      FreeBSD UNIX      .        Heimdal Kerberos
jvidrine@verio.net      .   nectar@FreeBSD.org   .           nectar@kth.se

----- Forwarded message from Jacques Vidrine <nectar@FreeBSD.org> -----
Date: Sun, 2 Dec 2001 16:51:47 -0800 (PST)
From: Jacques Vidrine <nectar@FreeBSD.org>
To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: cvs commit: src/crypto/openssh session.c

nectar      2001/12/02 16:51:47 PST

  Modified files:
    crypto/openssh       session.c 
  Log:
  Do not pass user-defined environmental variables to /usr/bin/login.
  
  Obtained from:  OpenBSD
  Approved by:    green
  
  Revision  Changes    Path
  1.18      +2 -0      src/crypto/openssh/session.c

----- End forwarded message -----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message