Date: Sat, 20 Sep 2003 20:18:50 +0200 From: Oliver Eikemeier <eikemeier@fillmore-labs.com> To: FreeBSD ports <ports@FreeBSD.org>, FreeBSD Ports Management Team <portmgr@freebsd.org> Subject: [Fwd: LSH: Buffer overrun and remote root compromise in lshd] Message-ID: <3F6C9A0A.8080103@fillmore-labs.com>
next in thread | raw e-mail | index | archive | help
Hi Ports, port security/lsh 1.5.2 has a remote root compromise, it seems that even the client part is affected. Either someone upgrades it to 1.5.3 or we mark it as broken for 4.9. The announcement is at: <http://lists.lysator.liu.se/pipermail/lsh-bugs/2003q3/000127.html>; Regards Oliver -------- Original Message -------- Subject: LSH: Buffer overrun and remote root compromise in lshd Date: 20 Sep 2003 10:58:55 +0200 From: nisse@lysator.liu.se (Niels M=C3=B6ller) A security hole of the worst kind have been found in lshd. All versions up to 1.4.2 and all versions in the 1.5.x series up to 1.5.2 are affected. The primary threat is remote root compromise of the lshd server. Some exploits programs have been published. It is also likely that a malicious ssh server can exploit the lsh client. All users of lsh servers and clients are strongly advised to upgrade to 1.4.3 (stable) or 1.5.3 (development version, with the usual caveats), and to immediately disable lshd service until the program is upgraded. For further details and instructions, see the [...] announcement of the new versions. [...] Regards, /Niels
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F6C9A0A.8080103>