just for the ppl who don't know already: http://www.pine.nl/advisories/pine-cert-20020301 :/ -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
Hi Sven,
just for the ppl who don't know already:
I just want to avoid to misunderstand the content of that URL It says: ------------------------------------------------------------------- Application : OpenSSH Version(s) : All versions between 2.0 and 3.0.2 ------------------------------------------------------------------- Does that mean openssh-3.0.2p1 is vulnerable ? Is the situation different, if password authentication is not allowed from sshd ? -- Kind regards, Thorsten Liebig
Thorsten Liebig wrote:
Hi Sven,
just for the ppl who don't know already:
I just want to avoid to misunderstand the content of that URL It says:
------------------------------------------------------------------- Application : OpenSSH Version(s) : All versions between 2.0 and 3.0.2 -------------------------------------------------------------------
Does that mean openssh-3.0.2p1 is vulnerable ? Is the situation different, if password authentication is not allowed from sshd ?
i think thats what it mean .. the authentication is irrelevant cause the user must authenticate first .. but if he is authenticated, he's able to 'root' the box (if i understand this announcement right) -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
Hi Sven,
------------------------------------------------------------------- Application : OpenSSH Version(s) : All versions between 2.0 and 3.0.2 -------------------------------------------------------------------
Does that mean openssh-3.0.2p1 is vulnerable ? Is the situation different, if password authentication is not allowed from sshd ?
i think thats what it mean .. the authentication is irrelevant cause the user must authenticate first .. but if he is authenticated, he's able to 'root' the box (if i understand this announcement right)
and its only one line to be changed... Anyway, I am going rebuild it for all ix-plattforms :-( -- Kind regards, Thorsten Liebig
On Thursday, 7. March 2002 15:35, Sven Michels wrote:
Does that mean openssh-3.0.2p1 is vulnerable ?
It is. This is from the FreeBSD-Advisory: Affects: FreeBSD 4.4-RELEASE, 4.5-RELEASE FreeBSD 4.5-STABLE prior to the correction date openssh port prior to openssh-3.0.2_1 -->> openssh-portable port prior to openssh-portable-3.0.2p1_1 Cheers Bjoern
* Bjoern Engels (bengels@lanworks.de) [020307 07:20]: ->On Thursday, 7. March 2002 15:35, Sven Michels wrote: -> -> ->> > Does that mean openssh-3.0.2p1 is vulnerable ? -> ->It is. This is from the FreeBSD-Advisory: -> -> Affects: FreeBSD 4.4-RELEASE, 4.5-RELEASE -> FreeBSD 4.5-STABLE prior to the correction date -> openssh port prior to openssh-3.0.2_1 -> openssh-portable port prior to openssh-portable-3.0.2p1_1 I can't seem to find this .2p1_1 version on OpenBSD's site. Could someone point my dumbass towards it? ;) -----=====-----=====-----=====-----=====----- Ben Rosenberg mailto:ben@whack.org -----=====-----=====-----=====-----=====----- "I've never been quarantined. But the more I look around the more I think it might not be a bad thing." -JC
On 7. März 2002 18:00 Ben Rosenberg wrote:
I can't seem to find this .2p1_1 version on OpenBSD's site. Could someone point my dumbass towards it? ;)
Found it after a good bit of searching on ftp://ftp.fi.debian.org/pub/OpenBSD/OpenSSH/portable/ HTH R. -- Ruediger Haars, Technical Consultant APIS Networks GmbH, Kronstadter Str. 11, 81677 Muenchen Tel.: 089-357147-0; email: ruediger.haars@picturemaxx.com
* Ruediger Haars (ruediger.haars@picturemaxx.com) [020307 09:11]: ->On 7. März 2002 18:00 Ben Rosenberg wrote: -> ->> I can't seem to find this .2p1_1 version on OpenBSD's site. Could ->> someone point my dumbass towards it? ;) -> ->Found it after a good bit of searching on ->ftp://ftp.fi.debian.org/pub/OpenBSD/OpenSSH/portable/ Yeah, I was looking for this .2p1_1 when Roman pointed out that I should maybe try 3.1 ;) Or the updated 2.9.9 pkgs that have been patched on SuSE's ftp site. :) -----=====-----=====-----=====-----=====----- Ben Rosenberg mailto:ben@whack.org -----=====-----=====-----=====-----=====----- "I've never been quarantined. But the more I look around the more I think it might not be a bad thing." -JC
This is probably a touch off-topic. I've been grabbing my updates from: http://www.suse.com/us/support/download/updates/71_i386.html what's the relationship timewise between this and the ftp sites when updates (especially critical) ones come out? Hen On Thu, 7 Mar 2002, Ben Rosenberg wrote:
* Ruediger Haars (ruediger.haars@picturemaxx.com) [020307 09:11]: ->On 7. M�rz 2002 18:00 Ben Rosenberg wrote: -> ->> I can't seem to find this .2p1_1 version on OpenBSD's site. Could ->> someone point my dumbass towards it? ;) -> ->Found it after a good bit of searching on ->ftp://ftp.fi.debian.org/pub/OpenBSD/OpenSSH/portable/
Yeah, I was looking for this .2p1_1 when Roman pointed out that I should maybe try 3.1 ;)
Or the updated 2.9.9 pkgs that have been patched on SuSE's ftp site. :)
-----=====-----=====-----=====-----=====----- Ben Rosenberg mailto:ben@whack.org -----=====-----=====-----=====-----=====----- "I've never been quarantined. But the more I look around the more I think it might not be a bad thing." -JC
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Ben Rosenberg wrote:
Or the updated 2.9.9 pkgs that have been patched on SuSE's ftp site. :)
that are patched ones... but all seems to work okay :) -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
Yes, SuSE tends to just patch the existing pkg as to not break dependancies..so until 8.0 comes out..2.9.9p1 will continue to get patched..don't worry. Roman knows what he's doing :) I personally just compile this stuff myself. It's old habit. * Sven Michels (smichels@intradat.com) [020307 09:29]: ->Ben Rosenberg wrote: -> ->> Or the updated 2.9.9 pkgs that have been patched on SuSE's ftp site. :) -> ->that are patched ones... but all seems to work okay :) -> ->-- ->intraDAT AG http://www.intradat.com ->Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 ->D - 60329 Frankfurt am Main Fax: +49 69-25629-256 -> Junk mail is war. RFCs do not apply. -----=====-----=====-----=====-----=====----- Ben Rosenberg mailto:ben@whack.org -----=====-----=====-----=====-----=====----- "I've never been quarantined. But the more I look around the more I think it might not be a bad thing." -JC
just for the ppl who don't know already:
http://www.pine.nl/advisories/pine-cert-20020301
:/
Huuuhh - not nice - dont like this kind of OPEN ssh :O)_
the updates are on ftp.suse.com, announcement will follow soon. happy updating ;) -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
the updates are on ftp.suse.com,
announcement will follow soon.
How would you know that? You are right, though, I'm busy with this right now.
happy updating ;)
Yes, indeed... :-/
Thanks,
Roman.
--
- -
| Roman Drahtmüller
participants (8)
-
Ben Rosenberg -
Bjoern Engels -
Henri Yandell -
Michael Appeldorn -
Roman Drahtmueller -
Ruediger Haars -
Sven Michels -
Thorsten Liebig