Date: Thu, 27 Jun 2002 00:52:33 +1000 (Australia/ACT) From: Darren Reed <avalon@coombs.anu.edu.au> To: mike@sentex.net (Mike Tancsa) Cc: freebsd-security@FreeBSD.ORG Subject: Re: OpenSSH Advisory (was Re: Much ado about nothing.) Message-ID: <200206261452.AAA26617@caligula.anu.edu.au> In-Reply-To: <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> from "Mike Tancsa" at Jun 26, 2002 10:40:05 AM
next in thread | previous in thread | raw e-mail | index | archive | help
From the OpenSSH 3.4 announcement: Changes since OpenSSH 3.3: ============================ Security Changes: ================= All versions of OpenSSH's sshd between 2.9.9 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. OpenSSH 3.4 fixes this bug. In addition, OpenSSH 3.4 adds many checks to detect invalid input and mitigate resource exhaustion attacks. OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled in sshd_config. OpenSSH 3.3 enables UsePrivilegeSeparation by default. In some mail from Mike Tancsa, sie said: > > > Can someone confirm for me that the quote, > > ---------- > Impact: > > OpenBSD, FreeBSD-Current, and other OpenSSH implementations may be > vulnerable to a remote, superuser compromise. > > Affected Versions: > > OpenBSD 3.0 > OpenBSD 3.1 > FreeBSD-Current > OpenSSH 3.0-3.2.3 > > ------------end quote------------- > > would imply that the version 2.9 in STABLE is not vulnerable ? > > > > At 07:23 AM 26/06/2002 -0700, Benjamin Krueger wrote: > > >http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 > > > >Regards, > > > >-- > >Benjamin Krueger > > > >"Life is far too important a thing ever to talk seriously about." > >- Oscar Wilde (1854 - 1900) > >---------------------------------------------------------------- > >Send mail w/ subject 'send public key' or query for (0x251A4B18) > >Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206261452.AAA26617>