Date: Tue, 13 May 2003 15:05:19 -0400 From: "Peter C. Lai" <sirmoo@cowbert.2y.net> To: Omar Lopez <magura@ardilla.dyndns.org> Cc: FreeBSD Security <freebsd-security@freebsd.org> Subject: Re: OpenSSH-portable <= 3.6.1p1 bug? Message-ID: <20030513190519.GU67769@cowbert.2y.net> In-Reply-To: <1052775063.532.18.camel@croconout.casa.net> References: <1052775063.532.18.camel@croconout.casa.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I think this explains it pretty well: (it's under section 3. of the advisory you posted). <blockquote> NOTE. FreeBSD uses both a different PAM implementation and a different PAM support in OpenSSH: it doesn't seem to be vulnerable to this particular timing leak issue. All OpenSSH-portable releases <= OpenSSH_3.6.1p1 compiled with PAM support enabled (./configure --with-pam) are vulnerable to this information leak. The PAMAuthenticationViaKbdInt directive doesn't need to be enabled in sshd_config. </blockquote> Howevever, it lists MACOSX as "unconfirmed". I thought MACOSX used the FreeBSD ssh implementation. On Mon, May 12, 2003 at 11:31:03PM +0200, Omar Lopez wrote: > Hi: > I Read these security advisory. > http://lab.mediaservice.net/advisory/2003-01-openssh.txt > Is my FreeBSD 5.0 afected? What other versions are afected? > > Thanks. > -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030513190519.GU67769>