From owner-freebsd-security Mon Jun 24 15:21:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by hub.freebsd.org (Postfix) with SMTP id 88DD237B41C for ; Mon, 24 Jun 2002 15:20:46 -0700 (PDT) Received: (qmail 400 invoked by uid 1000); 24 Jun 2002 22:20:40 -0000 Date: Mon, 24 Jun 2002 16:20:40 -0600 From: "Dalin S. Owen" To: Jason DiCioccio Cc: freebsd-security@freebsd.org Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020624162040.A280@nexusxi.com> References: <2147483647.1024930479@[192.168.4.154]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <2147483647.1024930479@[192.168.4.154]>; from geniusj@bluenugget.net on Mon, Jun 24, 2002 at 02:54:39PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable FreeBSD's OpenSSH is too old, it doesn't have PrivSep.. :( So firewall you= r port 22 guys. :) On Mon, Jun 24, 2002 at 02:54:39PM -0700, Jason DiCioccio wrote: > ---------- Forwarded Message ---------- > Date: Monday, June 24, 2002 11:06 PM +0200 > From: Markus Friedl > To: openssh-unix-announce@mindrot.org, openssh-unix-dev@mindrot.org > Subject: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability >=20 > On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote: > > Date: Mon, 24 Jun 2002 15:00:10 -0600 > > From: Theo de Raadt > > Subject: Upcoming OpenSSH vulnerability > > To: bugtraq@securityfocus.com > > Cc: announce@openbsd.org > > Cc: dsi@iss.net > > Cc: misc@openbsd.org > > > > There is an upcoming OpenSSH vulnerability that we're working on with > > ISS. Details will be published early next week. > > > > However, I can say that when OpenSSH's sshd(8) is running with priv > > seperation, the bug cannot be exploited. > > > > OpenSSH 3.3p was released a few days ago, with various improvements > > but in particular, it significantly improves the Linux and Solaris > > support for priv sep. However, it is not yet perfect. Compression is > > disabled on some systems, and the many varieties of PAM are causing > > major headaches. > > > > However, everyone should update to OpenSSH 3.3 immediately, and enable > > priv seperation in their ssh daemons, by setting this in your > > /etc/ssh/sshd_config file: > > > [...] > > > > OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away. > > On OpenBSD privsep works flawlessly, and I have reports that is also > > true on NetBSD. All other systems appear to have minor or major > > weaknesses when this code is running. >=20 > I know theo did not mention FreeBSD, but does anyone know for sure if=20 > FreeBSD is one of the platforms with major/minor weaknesses in the privse= p=20 > code? And if it is major, or minor? ;-) >=20 > Cheers, > -JD- >=20 > -- > Jason DiCioccio - jd@bluenugget.net - Useless .sig > Open Domain Service - geniusj@ods.org - http://www.ods.org/ > Ruby - jd@ruby-lang.org - http://www.ruby-lang.org/ >=20 > PGP Fingerprint - C442 04E2 26B0 3809 8357 96AB D350 9596 0436 7C08 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 Regards, Dalin S. Owen Nexus XI Corp. Email: dowen@nexusxi.com Web: http://www.nexusxi.com/ --8t9RHnE3ZwKMSgU+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj0XmzcACgkQKZhyFXMVXuItXgCgvsne444w3fsDPf22moHkBZd8 jDsAoL2+ahgcWCK4bs82rxORpjUBzs7/ =7oSb -----END PGP SIGNATURE----- --8t9RHnE3ZwKMSgU+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message