Fwd: Much ado about nothing.
What about the SuSE OpenSSH builts concerning this advisory?!? Greetz Christoph ------- Start of forwarded message ------- From: Benjamin Krueger <benjamin@seattleFenix.net> To: freebsd-security@FreeBSD.ORG Subject: Fwd: Much ado about nothing. Date: 26.6.2002 16:23:26 http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 Regards, -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -------- End of forwarded message --------
On Wed, Jun 26, 2002 at 04:43:40PM +0200, Christoph Wegener wrote:
What about the SuSE OpenSSH builts concerning this advisory?!?
I just read this, and I'm not sure how to interpret it. If this is true, and this is the only vulnerability known at this time, then SuSE Linux boxes in their default configuration haven't been vulnerable to this, because the sshd_config file we ship has "ChallengeResponseAuthentication no" in it. Which means this whole show had little purpose other than being another dubious political stunt of a certain individual. If that is the case, we apologize for wasting your time and resources. We are inclined however to wait for a public statement from the OpenBSD team before we decide how to proceed (i.e. whether we're going to wait for 3.4, or back down to 2.9.9 with a fix). Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
From the OpenSSH portability changelog:
20020626 ... - markus@cvs.openbsd.org 2002/06/26 13:55:37 [auth2-chall.c] make sure # of response matches # of queries, fixes int overflow; from ISS - markus@cvs.openbsd.org 2002/06/26 13:56:27 [version.h] 3.4 - (djm) Require krb5 devel for RPM build w/ KrbV - (djm) Improve PAMAuthenticationViaKbdInt text from Nalin Dahyabhai <nalin@redhat.com> - (djm) Update spec files for release - (djm) Fix int overflow in auth2-pam.c, similar to one discovered by ISS - (djm) Release 3.4p1 ... Does this mean 3.4 ist already released?!? Greetz Christoph -- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:cwe@bph.ruhr-uni-bochum.de http://www.bph.ruhr-uni-bochum.de
On Wednesday 26 June 2002 17:10, Christoph Wegener wrote:
From the OpenSSH portability changelog: ...
Does this mean 3.4 ist already released?!?
Yes. And the statement on www.openssh.com confirms that SuSE's packages never had been vulnerable in the first place, using the default configuration option "ChallengeResponseAuthentication no". The OpenBSD team recommends updating to 3.4 anyway.
Greetz Christoph
Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany
participants (4)
-
Christoph Wegener -
Christoph Wegener -
Martin Leweling -
Olaf Kirch