From owner-freebsd-security@FreeBSD.ORG Tue Sep 23 13:52:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8EF816A4B3 for ; Tue, 23 Sep 2003 13:52:59 -0700 (PDT) Received: from mx01.bos.ma.towardex.com (a65-124-16-8.svc.towardex.com [65.124.16.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C04943FE3 for ; Tue, 23 Sep 2003 13:52:59 -0700 (PDT) (envelope-from haesu@mx01.bos.ma.towardex.com) Received: by mx01.bos.ma.towardex.com (TowardEX ESMTP 3.0p11_DAKN, from userid 1001) id 5AAF32F916; Tue, 23 Sep 2003 16:53:18 -0400 (EDT) Date: Tue, 23 Sep 2003 16:53:18 -0400 From: Haesu To: Michael Sierchio , security@freebsd.org Message-ID: <20030923205318.GB3346@scylla.towardex.com> References: <3F705D4D.4070404@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3F705D4D.4070404@tenebras.com> User-Agent: Mutt/1.4.1i Subject: Re: OpenSSH: multiple vulnerabilities in the new PAM code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Sep 2003 20:52:59 -0000 Oh jee, here we go again. Hey, at least patched 3.5p1 on FreeBSD 4.8/4.9 are not effected :) -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | haesu@towardex.com Cell: (978)394-2867 | Office: (978)263-3399 Ext. 174 Fax: (978)263-0033 | POC: HAESU-ARIN On Tue, Sep 23, 2003 at 07:48:45AM -0700, Michael Sierchio wrote: > This affects only 3.7p1 and 3.7.1p1. The advice to leave > PAM disabled is far from heartening, nor is the semi-lame > blaming the PAM spec for implementation bugs. > > I happen to like OPIE for remote access. > > > > Subject: Portable OpenSSH Security Advisory: sshpam.adv > > This document can be found at: http://www.openssh.com/txt/sshpam.adv > > 1. Versions affected: > > Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple > vulnerabilities in the new PAM code. At least one of these bugs > is remotely exploitable (under a non-standard configuration, > with privsep disabled). > > The OpenBSD releases of OpenSSH do not contain this code and > are not vulnerable. Older versions of portable OpenSSH are not > vulnerable. > > 2. Solution: > > Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM > support ("UsePam no" in sshd_config). > > Due to complexity, inconsistencies in the specification and > differences between vendors' PAM implementations we recommend > that PAM be left disabled in sshd_config unless there is a need > for its use. Sites only using public key or simple password > authentication usually have little need to enable PAM > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"