View previous topic :: View next topic |
Author |
Message |
DrSpock n00b
Joined: 25 Jun 2002 Posts: 1
|
Posted: Wed Jun 26, 2002 8:07 pm Post subject: OpenSSH 3.4 |
|
|
NOTE: Covered by Sticky above sorry for the redudency
OpenSSH 3.4 was released fixing the discovered vulnerabilitiy in previous versions:
1. Versions affected:
All versions of OpenSSH's sshd between 2.9.9 and 3.3
contain an input validation error that can result in
an integer overflow and privilege escalation.
OpenSSH 3.4 and later are not affected.
OpenSSH 3.2 and later prevent privilege escalation
if UsePrivilegeSeparation is enabled in sshd_config.
OpenSSH 3.3 enables UsePrivilegeSeparation by
default.
Although OpenSSH 2.9 and earlier are not affected
upgrading to OpenSSH 3.4 is recommended, because
OpenSSH 3.4 adds checks for a class of potential bugs.
2. Impact:
This bug can be exploited remotely if
ChallengeResponseAuthentication is enabled in sshd_config.
Affected are at least systems supporting
s/key over SSH protocol version 2 (OpenBSD, FreeBSD
and NetBSD as well as other systems supporting
s/key with SSH). Exploitablitly of systems
using PAM in combination has not been verified.
------
While looking at the HTTP browser of RSYNC mirror, I see no ebuild or package for OpenSSH 3.4. I can imagine those running OpenSSH [sshd] might not update it on their own besides for using emerge. |
|
Back to top |
|
|
Zu` l33t
Joined: 26 May 2002 Posts: 716 Location: BE
|
Posted: Wed Jun 26, 2002 9:26 pm Post subject: Re: OpenSSH 3.4 |
|
|
DrSpock wrote: | While looking at the HTTP browser of RSYNC mirror, I see no ebuild or package for OpenSSH 3.4. I can imagine those running OpenSSH [sshd] might not update it on their own besides for using emerge. |
It's there now
Code: | emerge rsync
emerge -u openssh
emerge -c openssh |
Greets |
|
Back to top |
|
|
|