Full Disclosure mailing list archives
**NEW** OpenSSH Vuln Today
From: Jeremiah Cornelius <jeremiah () nur net>
Date: Tue, 23 Sep 2003 13:11:32 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To: Secure Shell Subject: Multiple PAM vulnerabilities in portable OpenSSH Date: Sep 23 2003 12:40PM Author: Damien Miller <djm cvs openbsd org> Message-ID: <200309231240.h8NCePCd025947 () cvs openbsd org> Subject: Portable OpenSSH Security Advisory: sshpam.adv This document can be found at: http://www.openssh.com/txt/sshpam.adv 1. Versions affected: Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). The OpenBSD releases of OpenSSH do not contain this code and are not vulnerable. Older versions of portable OpenSSH are not vulnerable. 2. Solution: Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM support ("UsePam no" in sshd_config). Due to complexity, inconsistencies in the specification and differences between vendors' PAM implementations we recommend that PAM be left disabled in sshd_config unless there is a need for its use. Sites only using public key or simple password authentication usually have little need to enable PAM support. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/cKj6Ji2cv3XsiSARAgSXAKCnphtbWIwF2kxwYspPwcnQ2nC1HgCdFQqo nFIlRMEGrI/7QvUcVCwYL7o= =jsqb -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Erm, Excuse Me, Honeynet.... sockz loves you (Sep 23)
- Re: Erm, Excuse Me, Honeynet.... morning_wood (Sep 23)
- Re: Erm, Excuse Me, Honeynet.... V.O. (Sep 23)
- Just when you thought Macafee stuff was safe! gregh (Sep 23)
- Re: Just when you thought Macafee stuff was safe! Keith W. McCammon (Sep 23)
- Re: Just when you thought Macafee stuff was safe! gregh (Sep 23)
- RE: Just when you thought Macafee stuff was safe! Jeroen Massar (Sep 23)
- Re: Just when you thought Macafee stuff was safe! gregh (Sep 23)
- Re: Erm, Excuse Me, Honeynet.... morning_wood (Sep 23)
- Re: Erm, Excuse Me, Honeynet.... Valdis . Kletnieks (Sep 23)
- Re: Erm, Excuse Me, Honeynet.... Jeremiah Cornelius (Sep 23)
- Re: Erm, Excuse Me, Honeynet.... Valdis . Kletnieks (Sep 24)
- Re: Erm, Excuse Me, Honeynet.... Jeremiah Cornelius (Sep 23)