Again I feel SuSE jumped ahead or in with a knee-jerk reaction to the alleged OpenBSD/OpenSSH exploit for SSH whose argument to this moment has been largely unfounded. Until they have produced enough documentation actually warning of the exploit and where exactly it does so, it has not even been made a CVE candidate, released in any official advisory except SuSE. The Developers of OpenSSH do not even have an answer themselves but to upgrade to 3.3 for a mere workaround whereas 3.3 has fundemental issues of its own. I would wait until its official before getting all too excited -perhaps look at http://online.securityfocus.com/advisories/4230 Ryan S. -----Original Message----- From: Simon Oliver [mailto:simon.oliver@umist.ac.uk] Sent: Wednesday, June 26, 2002 9:48 AM To: suse-security@suse.com Subject: [suse-security] OpenSSH Vulnerability and Setting PrivilegeSeparation
They are asking all users to upgrade to version 3.3 (sic), and enable the PrivilegeSeparation option.
I have some machines running sshd V3 (not-SuSE distro). So I downloaded 3.3p1 from openssh - there are two configure options to set privsep options during compilation, but what values should I use? --with-privsep-path= --with-privsep-user= Can these be overidden / supplied in sshd_config or must it be done at compile time. Also, are there any unforseen (by me) side effects? -- Simon Oliver -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here