From owner-freebsd-security  Wed Dec  5  4:52:55 2001
Delivered-To: freebsd-security@freebsd.org
Received: from salseiros.melim.com.br (salseiros.melim.com.br [200.215.110.23])
	by hub.freebsd.org (Postfix) with ESMTP id 8F34737B416
	for <security@FreeBSD.ORG>; Wed,  5 Dec 2001 04:52:47 -0800 (PST)
Received: from fazendinha (ressacada.melim.com.br [200.215.110.4])
	by salseiros.melim.com.br (Postfix) with SMTP
	id 530B9BAAB; Wed,  5 Dec 2001 10:52:43 -0200 (BRST)
Message-ID: <01e501c17d8b$fc371900$2aa8a8c0@melim.com.br>
From: "Ronan Lucio" <ronan@melim.com.br>
To: "Erick Mechler" <emechler@techometer.net>,
	"Henry smith" <getzz11@yahoo.com>
Cc: <security@FreeBSD.ORG>
References: <20011205010118.50293.qmail@web21109.mail.yahoo.com> <20011204172605.T66947@techometer.net>
Subject: Re: upgrade sshd ?
Date: Wed, 5 Dec 2001 10:54:32 -0200
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

You can do a workaround.

Just set UseLogin no

[]īs

Ronan Lucio
Melim Internet Provider

> Yeah, if you don't want to be vulnerable to the 'UseLogin' exploit.  The
> packages should have shown up on the mirrors by now.
>
> --Erick
>
> ----------------------------------------
>
> Important Changes:
> ==================
>
>         This release fixes a vulnerability in the UseLogin option
>         of OpenSSH.  This option is not enabled in the default
>         installation of OpenSSH.
>
>         However, if UseLogin is enabled by the administrator, all
>         versions of OpenSSH prior to 3.0.2 may be vulnerable to
>         local attacks.
>
>         The vulnerability allows local users to pass environment
>         variables (e.g. LD_PRELOAD) to the login process.  The login
>         process is run with the same privilege as sshd (usually
>         with root privilege).
>
>         Do not enable UseLogin on your machines or disable UseLogin
>         again in /etc/sshd_config:
>                 UseLogin no
>
> ----------------------------------------
>
> At Tue, Dec 04, 2001 at 05:01:18PM -0800, Henry smith said this:
> :: Right now, I'm using OpenSSH_3.0.1. Do I need to
> :: upgrade to 3.0.2 ?
> ::
> ::
> :: __________________________________________________
> :: Do You Yahoo!?
> :: Buy the perfect holiday gifts at Yahoo! Shopping.
> :: http://shopping.yahoo.com
> ::
> :: To Unsubscribe: send mail to majordomo@FreeBSD.org
> :: with "unsubscribe freebsd-security" in the body of the message
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message