Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 20 Sep 2003 20:18:50 +0200
From:      Oliver Eikemeier <eikemeier@fillmore-labs.com>
To:        FreeBSD ports <ports@FreeBSD.org>, FreeBSD Ports Management Team <portmgr@freebsd.org>
Subject:   [Fwd: LSH: Buffer overrun and remote root compromise in lshd]
Message-ID:  <3F6C9A0A.8080103@fillmore-labs.com>

next in thread | raw e-mail | index | archive | help
Hi Ports,

port security/lsh 1.5.2 has a remote root compromise,
it seems that even the client part is affected.
Either someone upgrades it to 1.5.3 or we mark it as
broken for 4.9.

The announcement  is at:
  <http://lists.lysator.liu.se/pipermail/lsh-bugs/2003q3/000127.html>;

Regards
    Oliver

-------- Original Message --------
Subject: LSH: Buffer overrun and remote root compromise in lshd
Date: 20 Sep 2003 10:58:55 +0200
From: nisse@lysator.liu.se (Niels M=C3=B6ller)

A security hole of the worst kind have been found in lshd. All
versions up to 1.4.2 and all versions in the 1.5.x series up to 1.5.2
are affected.

The primary threat is remote root compromise of the lshd server. Some
exploits programs have been published. It is also likely that a
malicious ssh server can exploit the lsh client.

All users of lsh servers and clients are strongly advised to upgrade
to 1.4.3 (stable) or 1.5.3 (development version, with the usual
caveats), and to immediately disable lshd service until the program
is upgraded.

For further details and instructions, see the [...] announcement of
the new versions. [...]

Regards,
/Niels




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F6C9A0A.8080103>