From owner-freebsd-security  Tue Dec  4 17:26:14 2001
Delivered-To: freebsd-security@freebsd.org
Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213])
	by hub.freebsd.org (Postfix) with ESMTP id E3B8337B41B
	for <security@FreeBSD.ORG>; Tue,  4 Dec 2001 17:26:10 -0800 (PST)
Received: (from emechler@localhost)
	by radix.cryptio.net (8.11.6/8.11.6) id fB51Q5c95565;
	Tue, 4 Dec 2001 17:26:05 -0800 (PST)
	(envelope-from emechler)
Date: Tue, 4 Dec 2001 17:26:05 -0800
From: Erick Mechler <emechler@techometer.net>
To: Henry smith <getzz11@yahoo.com>
Cc: security@FreeBSD.ORG
Subject: Re: upgrade sshd ?
Message-ID: <20011204172605.T66947@techometer.net>
References: <20011205010118.50293.qmail@web21109.mail.yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20011205010118.50293.qmail@web21109.mail.yahoo.com>; from Henry smith on Tue, Dec 04, 2001 at 05:01:18PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Yeah, if you don't want to be vulnerable to the 'UseLogin' exploit.  The 
packages should have shown up on the mirrors by now.

--Erick

----------------------------------------

Important Changes:
==================

        This release fixes a vulnerability in the UseLogin option
        of OpenSSH.  This option is not enabled in the default
        installation of OpenSSH.

        However, if UseLogin is enabled by the administrator, all
        versions of OpenSSH prior to 3.0.2 may be vulnerable to
        local attacks.

        The vulnerability allows local users to pass environment
        variables (e.g. LD_PRELOAD) to the login process.  The login
        process is run with the same privilege as sshd (usually
        with root privilege).

        Do not enable UseLogin on your machines or disable UseLogin
        again in /etc/sshd_config:
                UseLogin no

----------------------------------------

At Tue, Dec 04, 2001 at 05:01:18PM -0800, Henry smith said this:
:: Right now, I'm using OpenSSH_3.0.1. Do I need to
:: upgrade to 3.0.2 ?
:: 
:: 
:: __________________________________________________
:: Do You Yahoo!?
:: Buy the perfect holiday gifts at Yahoo! Shopping.
:: http://shopping.yahoo.com
:: 
:: To Unsubscribe: send mail to majordomo@FreeBSD.org
:: with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message