From owner-freebsd-security Wed Jun 26 8:11:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by hub.freebsd.org (Postfix) with ESMTP id D681737BA80 for ; Wed, 26 Jun 2002 08:07:58 -0700 (PDT) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.4/8.12.4) with ESMTP id g5QF7rxd006553; Wed, 26 Jun 2002 11:07:53 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 26 Jun 2002 11:10:44 -0400 To: Darren Reed From: Mike Tancsa Subject: Re: OpenSSH Advisory (was Re: Much ado about nothing.) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200206261452.AAA26617@caligula.anu.edu.au> References: <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020220) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:52 AM 27/06/2002 +1000, Darren Reed wrote: > >From the OpenSSH 3.4 announcement: > >Changes since OpenSSH 3.3: >============================ > >Security Changes: >================= > > All versions of OpenSSH's sshd between 2.9.9 and 3.3 > contain an input validation error that can result in OK, but 2.9.9... is that really the same as FreeBSD's SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20020307 Also, the ISS advisory states "Administrators can remove this vulnerability by disabling the Challenge-Response authentication parameter within the OpenSSH daemon configuration file. This filename and path is typically: /etc/ssh/sshd_config. To disable this parameter, locate the corresponding line and change it to the line below: ChallengeResponseAuthentication no " This would imply there is a work around, but the talk before hand ----quote from Message-Id: <200206242327.g5ONRBLI012690@cvs.openbsd.org>--- Bullshit. You have been told to move up to privsep so that you are immunized by the time the bug is released. If you fail to immunize your users, then the best you can do is tell them to disable OpenSSH until 3.4 is out early next week with the bugfix in it. Of course, then the bug will be public. ----end-quote--- ---Mike >In some mail from Mike Tancsa, sie said: > > > > > > Can someone confirm for me that the quote, > > > > ---------- > > Impact: > > > > OpenBSD, FreeBSD-Current, and other OpenSSH implementations may be > > vulnerable to a remote, superuser compromise. > > > > Affected Versions: > > > > OpenBSD 3.0 > > OpenBSD 3.1 > > FreeBSD-Current > > OpenSSH 3.0-3.2.3 > > > > ------------end quote------------- > > > > would imply that the version 2.9 in STABLE is not vulnerable ? > > > > > > > > At 07:23 AM 26/06/2002 -0700, Benjamin Krueger wrote: > > > > >http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 > > > > > >Regards, > > > > > >-- > > >Benjamin Krueger > > > > > >"Life is far too important a thing ever to talk seriously about." > > >- Oscar Wilde (1854 - 1900) > > >---------------------------------------------------------------- > > >Send mail w/ subject 'send public key' or query for (0x251A4B18) > > >Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message