SitePoint Sponsor

User Tag List

Results 1 to 3 of 3

Hybrid View

  1. #1
    There is no general chat z0s0's Avatar
    Join Date
    Aug 1998
    Location
    Melbourne
    Posts
    172
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    CERT Advisory CA-2002-18 OpenSSH Vulnerabilities...

    Enough to strike fear into the hearts of sysadmin's worldwide...

    Full text available from
    http://www.cert.org/advisories/CA-2002-18.html
    ___________________________________________________
    Systems Affected

    * OpenSSH versions 2.3.1p1 through 3.3

    Overview

    There are two related vulnerabilities in the challenge response
    handling code in OpenSSH versions 2.3.1p1 through 3.3. They may allow
    a remote intruder to execute arbitrary code as the user running sshd
    (often root). The first vulnerability affects OpenSSH versions 2.9.9
    through 3.3 that have the challenge response option enabled and that
    use SKEY or BSD_AUTH authentication. The second vulnerability affects
    PAM modules using interactive keyboard authentication in OpenSSH
    versions 2.3.1p1 through 3.3, regardless of the challenge response
    option setting. Additionally, a number of other possible security
    problems have been corrected in OpenSSH version 3.4.


    See http://www.cert.org/advisories/CA-2002-18.html
    Wormly Server Performance Monitoring
    Don't wait for an SMS at 4am. Find out what's really
    going on and fix the problem. www.wormly.com/website-monitoring

  2. #2
    SitePoint Wizard
    Join Date
    Jul 1999
    Location
    Chicago
    Posts
    2,629
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I upgraded to the latest OpenSSH version as soon as I heard of this. It looks like a pretty scary vulnerability. Remote root.

    What's more interesting is Theo de Raadt's handling of the situation. He just said "upgrade", and didn't say why. No details of the vulnerability were released, we were just blindly told to upgrade. Theo can be a bit weird but he makes great software. I've been a happy OpenBSD user for 2 years.

  3. #3
    SitePoint Wizard silver trophy Karl's Avatar
    Join Date
    Jul 1999
    Location
    Derbyshire, UK
    Posts
    4,411
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There's a good reason for just saying upgrade, it's much better than the farce that happend with ISS and the Apache vuln. where everyone knew about it before a patch was released.
    Karl Austin :: Profile :: KDA Web Services Ltd.
    Business Web Hosting :: Managed Dedicated Hosting
    Call 0800 542 9764 today and ask how we can help your business grow.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •