Vulnerability Development mailing list archives

Re: OpenSSH Vulns (new?) Priv seperation

From: Jose Nazario <jose () monkey org>
Date: Wed, 26 Jun 2002 12:47:26 -0400 (EDT)

On Tue, 25 Jun 2002, wirepair wrote:

http://www.securiteam.com/securitynews/5HP0L1F7FA.html Has anyone
recieved any more information on this? If so what exactly is the issue?
This is the part that scares me:


deadly.org has links to the appropriate info, including the ISS advisory.
the quick summary is that it is the challenge-response negotiation in the
ssh2 code.

3.4 has been announced and the fix has been put in. the openbsd.org web
page has been updated, too, to reflect the existence of one remote hole in
the default install in nearly 6 years.

___________________________
jose nazario, ph.d.                     jose () monkey org
                                        http://www.monkey.org/~jose/

Current thread:

OpenSSH Vulns (new?) Priv seperation wirepair (Jun 26)
- Re: OpenSSH Vulns (new?) Priv seperation Valdis . Kletnieks (Jun 26)
- Re: OpenSSH Vulns (new?) Priv seperation John Madden (Jun 26)
- Re: OpenSSH Vulns (new?) Priv seperation Jose Nazario (Jun 26)
- Re: OpenSSH Vulns (new?) Priv seperation Michael Greenberg (Jun 28)
- <Possible follow-ups>
- RE: OpenSSH Vulns (new?) Priv seperation Peter Mueller (Jun 26)
  - RE: OpenSSH Vulns (new?) Priv seperation Michal Zalewski (Jun 26)