Date: Tue, 4 Dec 2001 17:26:05 -0800 From: Erick Mechler <emechler@techometer.net> To: Henry smith <getzz11@yahoo.com> Cc: security@FreeBSD.ORG Subject: Re: upgrade sshd ? Message-ID: <20011204172605.T66947@techometer.net> In-Reply-To: <20011205010118.50293.qmail@web21109.mail.yahoo.com>; from Henry smith on Tue, Dec 04, 2001 at 05:01:18PM -0800 References: <20011205010118.50293.qmail@web21109.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Yeah, if you don't want to be vulnerable to the 'UseLogin' exploit. The
packages should have shown up on the mirrors by now.
--Erick
----------------------------------------
Important Changes:
==================
This release fixes a vulnerability in the UseLogin option
of OpenSSH. This option is not enabled in the default
installation of OpenSSH.
However, if UseLogin is enabled by the administrator, all
versions of OpenSSH prior to 3.0.2 may be vulnerable to
local attacks.
The vulnerability allows local users to pass environment
variables (e.g. LD_PRELOAD) to the login process. The login
process is run with the same privilege as sshd (usually
with root privilege).
Do not enable UseLogin on your machines or disable UseLogin
again in /etc/sshd_config:
UseLogin no
----------------------------------------
At Tue, Dec 04, 2001 at 05:01:18PM -0800, Henry smith said this:
:: Right now, I'm using OpenSSH_3.0.1. Do I need to
:: upgrade to 3.0.2 ?
::
::
:: __________________________________________________
:: Do You Yahoo!?
:: Buy the perfect holiday gifts at Yahoo! Shopping.
:: http://shopping.yahoo.com
::
:: To Unsubscribe: send mail to majordomo@FreeBSD.org
:: with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011204172605.T66947>