SitePoint Sponsor |
|
User Tag List
Results 1 to 3 of 3
-
Jun 26, 2002, 20:58 #1
- Join Date
- Aug 1998
- Location
- Melbourne
- Posts
- 172
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
CERT Advisory CA-2002-18 OpenSSH Vulnerabilities...
Enough to strike fear into the hearts of sysadmin's worldwide...
Full text available from
http://www.cert.org/advisories/CA-2002-18.html
___________________________________________________
Systems Affected
* OpenSSH versions 2.3.1p1 through 3.3
Overview
There are two related vulnerabilities in the challenge response
handling code in OpenSSH versions 2.3.1p1 through 3.3. They may allow
a remote intruder to execute arbitrary code as the user running sshd
(often root). The first vulnerability affects OpenSSH versions 2.9.9
through 3.3 that have the challenge response option enabled and that
use SKEY or BSD_AUTH authentication. The second vulnerability affects
PAM modules using interactive keyboard authentication in OpenSSH
versions 2.3.1p1 through 3.3, regardless of the challenge response
option setting. Additionally, a number of other possible security
problems have been corrected in OpenSSH version 3.4.
See http://www.cert.org/advisories/CA-2002-18.htmlWormly Server Performance Monitoring
Don't wait for an SMS at 4am. Find out what's really
going on and fix the problem. www.wormly.com/website-monitoring
-
Jun 26, 2002, 21:22 #2
- Join Date
- Jul 1999
- Location
- Chicago
- Posts
- 2,629
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I upgraded to the latest OpenSSH version as soon as I heard of this. It looks like a pretty scary vulnerability. Remote root.
What's more interesting is Theo de Raadt's handling of the situation. He just said "upgrade", and didn't say why. No details of the vulnerability were released, we were just blindly told to upgrade.Theo can be a bit weird but he makes great software. I've been a happy OpenBSD user for 2 years.
-
Jun 27, 2002, 02:17 #3
- Join Date
- Jul 1999
- Location
- Derbyshire, UK
- Posts
- 4,411
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
There's a good reason for just saying upgrade, it's much better than the farce that happend with ISS and the Apache vuln. where everyone knew about it before a patch was released.
Karl Austin :: Profile :: KDA Web Services Ltd.
Business Web Hosting :: Managed Dedicated Hosting
Call 0800 542 9764 today and ask how we can help your business grow.
Bookmarks