Fwd: Much ado about nothing.
What about the SuSE OpenSSH builts concerning this advisory?!?
Greetz
Christoph
------- Start of forwarded message -------
From: Benjamin Krueger
On Wed, Jun 26, 2002 at 04:43:40PM +0200, Christoph Wegener wrote:
What about the SuSE OpenSSH builts concerning this advisory?!?
I just read this, and I'm not sure how to interpret it. If this is true, and this is the only vulnerability known at this time, then SuSE Linux boxes in their default configuration haven't been vulnerable to this, because the sshd_config file we ship has "ChallengeResponseAuthentication no" in it. Which means this whole show had little purpose other than being another dubious political stunt of a certain individual. If that is the case, we apologize for wasting your time and resources. We are inclined however to wait for a public statement from the OpenBSD team before we decide how to proceed (i.e. whether we're going to wait for 3.4, or back down to 2.9.9 with a fix). Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
From the OpenSSH portability changelog:
20020626
...
- markus@cvs.openbsd.org 2002/06/26 13:55:37
[auth2-chall.c]
make sure # of response matches # of queries, fixes int overflow;
from ISS
- markus@cvs.openbsd.org 2002/06/26 13:56:27
[version.h]
3.4
- (djm) Require krb5 devel for RPM build w/ KrbV
- (djm) Improve PAMAuthenticationViaKbdInt text from Nalin Dahyabhai
On Wednesday 26 June 2002 17:10, Christoph Wegener wrote:
From the OpenSSH portability changelog: ...
Does this mean 3.4 ist already released?!?
Yes. And the statement on www.openssh.com confirms that SuSE's packages never had been vulnerable in the first place, using the default configuration option "ChallengeResponseAuthentication no". The OpenBSD team recommends updating to 3.4 anyway.
Greetz Christoph
Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany
participants (4)
-
Christoph Wegener -
Christoph Wegener -
Martin Leweling -
Olaf Kirch