[TriLUG] Fwd: Upcoming OpenSSH vulnerability *unverified*
Mike Johnson
mike at enoch.org
Tue Jun 25 12:55:00 EDT 2002
Lisa Lorenzin [lorenzin at 1000plus.com] wrote:
>
> new rpms don't appear to have made it onto rufus yet, but they're
> available at
>
> ftp://openbsd.secsup.org/pub/openbsd/OpenSSH/portable/rpm/RH73/
The full list of mirrors:
http://www.openssh.com/portable.html
> (7.3 RPM works on 7.2 - i'm not sure about older versions.)
There's also an SRPM that should work for other RPM based distros.
> looks to me like you have to upgrade to openssh 3.3p AND enable privilege
> separation in sshd_config to mitigate.
Yes, you do. The work around for the bug that will be released is to
enable PrivSep. The reason for the upgrade to 3.3 is just to get the
most stable/correct code.
OpenSSH 3.4 (with the actual fix for the bug) will be released next
week (Monday). Assume that the exploit will also be out on Monday...
Mike
--
"Let the power of Ponch compel you! Let the power of Ponch compel you!"
-- Zorak on Space Ghost
GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20020625/4cbf20fe/attachment.pgp>
More information about the TriLUG
mailing list