Date: Wed, 5 Dec 2001 10:54:32 -0200 From: "Ronan Lucio" <ronan@melim.com.br> To: "Erick Mechler" <emechler@techometer.net>, "Henry smith" <getzz11@yahoo.com> Cc: <security@FreeBSD.ORG> Subject: Re: upgrade sshd ? Message-ID: <01e501c17d8b$fc371900$2aa8a8c0@melim.com.br> References: <20011205010118.50293.qmail@web21109.mail.yahoo.com> <20011204172605.T66947@techometer.net>
next in thread | previous in thread | raw e-mail | index | archive | help
You can do a workaround. Just set UseLogin no []īs Ronan Lucio Melim Internet Provider > Yeah, if you don't want to be vulnerable to the 'UseLogin' exploit. The > packages should have shown up on the mirrors by now. > > --Erick > > ---------------------------------------- > > Important Changes: > ================== > > This release fixes a vulnerability in the UseLogin option > of OpenSSH. This option is not enabled in the default > installation of OpenSSH. > > However, if UseLogin is enabled by the administrator, all > versions of OpenSSH prior to 3.0.2 may be vulnerable to > local attacks. > > The vulnerability allows local users to pass environment > variables (e.g. LD_PRELOAD) to the login process. The login > process is run with the same privilege as sshd (usually > with root privilege). > > Do not enable UseLogin on your machines or disable UseLogin > again in /etc/sshd_config: > UseLogin no > > ---------------------------------------- > > At Tue, Dec 04, 2001 at 05:01:18PM -0800, Henry smith said this: > :: Right now, I'm using OpenSSH_3.0.1. Do I need to > :: upgrade to 3.0.2 ? > :: > :: > :: __________________________________________________ > :: Do You Yahoo!? > :: Buy the perfect holiday gifts at Yahoo! Shopping. > :: http://shopping.yahoo.com > :: > :: To Unsubscribe: send mail to majordomo@FreeBSD.org > :: with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01e501c17d8b$fc371900$2aa8a8c0>