I disagree with you here. I believe SuSE have done exactly as they should
have by releaseing an offical answer to what everyone is asking them.
We had a thread about this only a month or so ago talking about SuSE
notifying us of upcoming problems..
Way to go SuSE
--
Viel Spaß
Peter Nixon - nix@susesecurity.com
SuSE Security FAQ Maintainer
http://www.susesecurity.com/faq/
"If you think cryptography will solve the problem, then you don't
understand cryptography and you don't understand your problem."
On Wed, 26 Jun 2002 10:02:01 -0400
"Ryan Swenson"
Again I feel SuSE jumped ahead or in with a knee-jerk reaction to the alleged OpenBSD/OpenSSH exploit for SSH whose argument to this moment has been largely unfounded. Until they have produced enough documentation actually warning of the exploit and where exactly it does so, it has not even been made a CVE candidate, released in any official advisory except SuSE. The Developers of OpenSSH do not even have an answer themselves but to upgrade to 3.3 for a mere workaround whereas 3.3 has fundemental issues of its own.
I would wait until its official before getting all too excited -perhaps look at http://online.securityfocus.com/advisories/4230
Ryan S.
-----Original Message----- From: Simon Oliver [mailto:simon.oliver@umist.ac.uk] Sent: Wednesday, June 26, 2002 9:48 AM To: suse-security@suse.com Subject: [suse-security] OpenSSH Vulnerability and Setting PrivilegeSeparation
- They are asking all users to upgrade to version 3.3 (sic), and enable the PrivilegeSeparation option.
I have some machines running sshd V3 (not-SuSE distro). So I downloaded 3.3p1 from openssh - there are two configure options to set privsep options during compilation, but what values should I use?
--with-privsep-path= --with-privsep-user=
Can these be overidden / supplied in sshd_config or must it be done at compile time. Also, are there any unforseen (by me) side effects?
-- Simon Oliver
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here