[TCLUG] [Security Discuss] new sshd exploit ? (fwd)

Fri Nov 30 10:12:26 CST 2001

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, it is. However it's apparently fixed in the current production code.
The major issue is that it looks like the broken code was only recently
the current production code. I think this will be my queue to just go bite
the bullet and update from OpenBSD 2.9 to 3.0 since that takes OpenSSH
with it to 3.0.1.

Joshua b. Jore
Minneapolis Ward 3, precinct 10
http://www.greentechnologist.org

On Fri, 30 Nov 2001, Austad, Jay wrote:

> Wow.  An app designed to provide security actually compromising it.  Gotta
> love that.  Remind me not to ever open ssh again and to require a VPN
> connection for all remote administration.
>
> That's annoying.
>
> > -----Original Message-----
> > From: Joshua b. Jore [mailto:josh at kitten.greentechnologist.org]
> > Sent: Thursday, November 29, 2001 8:31 PM
> > To: tclug-list at mn-linux.org
> > Subject: [TCLUG] [Security Discuss] new sshd exploit ? (fwd)
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > (forwarded from misc at openbsd.org. The affected people ran Redhat)
> >
> > FYI...  heads' up from the SSH mail list
> >
> > > > A colleague sent me a very vague e-mail, telling me that
> > I should 'disable
> > > > SSHD now' because of a 'private exploit being circulated
> > since Saturday'.
> > > >
> > > > Anyone know anything about this?
> > >
> > > The following URL should give you some more information:
> > >
> > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100696253318793&w=2
> >
> > Given the other issue of Kerberos pre-v3, an update to the
> > latest OpenSSH 3.0+ seems warrented.
> >     http://www.oreillynet.com/lpt/a/linux/2001/11/26/insecurities.html
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.0.6 (OpenBSD)
> > Comment: For info see http://www.gnupg.org
> >
> > iD8DBQE8Bu95fexLsowstzcRAn9UAJwPqCgv7n5zBAF7K4EbUGfgml2cLQCfdICG
> > bS4kDoKGWmvGLrp+PXs2kiA=
> > =Z8jF
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Twin Cities Linux Users Group Mailing List - Minneapolis/St.
> > Paul, Minnesota
> > http://www.mn-linux.org
> > tclug-list at mn-linux.org
> > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> >
> _______________________________________________
> Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, Minnesota
> http://www.mn-linux.org
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (OpenBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8B4g8fexLsowstzcRAkWFAJwLlyrIywKswzXWJkr00Qq186lDEQCgwF8v
l0dX2D28nB06z3IONTX2AFM=
=s0TK
-----END PGP SIGNATURE-----