RE: [suse-security] OpenSSH Vulnerability and Setting PrivilegeSeparation
Again I feel SuSE jumped ahead or in with a knee-jerk reaction to the alleged OpenBSD/OpenSSH exploit for SSH whose argument to this moment has been largely unfounded. Until they have produced enough documentation actually warning of the exploit and where exactly it does so, it has not even been made a CVE candidate, released in any official advisory except SuSE. The Developers of OpenSSH do not even have an answer themselves but to upgrade to 3.3 for a mere workaround whereas 3.3 has fundemental issues of its own. I would wait until its official before getting all too excited -perhaps look at http://online.securityfocus.com/advisories/4230 Ryan S. -----Original Message----- From: Simon Oliver [mailto:simon.oliver@umist.ac.uk] Sent: Wednesday, June 26, 2002 9:48 AM To: suse-security@suse.com Subject: [suse-security] OpenSSH Vulnerability and Setting PrivilegeSeparation
- They are asking all users to upgrade to version 3.3 (sic), and enable the PrivilegeSeparation option.
I have some machines running sshd V3 (not-SuSE distro). So I downloaded 3.3p1 from openssh - there are two configure options to set privsep options during compilation, but what values should I use? --with-privsep-path= --with-privsep-user= Can these be overidden / supplied in sshd_config or must it be done at compile time. Also, are there any unforseen (by me) side effects? -- Simon Oliver -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
I disagree with you here. I believe SuSE have done exactly as they should have by releaseing an offical answer to what everyone is asking them. We had a thread about this only a month or so ago talking about SuSE notifying us of upcoming problems.. Way to go SuSE -- Viel Spaß Peter Nixon - nix@susesecurity.com SuSE Security FAQ Maintainer http://www.susesecurity.com/faq/ "If you think cryptography will solve the problem, then you don't understand cryptography and you don't understand your problem." On Wed, 26 Jun 2002 10:02:01 -0400 "Ryan Swenson" <Ryan.Swenson@togethersoft.com> wrote:
Again I feel SuSE jumped ahead or in with a knee-jerk reaction to the alleged OpenBSD/OpenSSH exploit for SSH whose argument to this moment has been largely unfounded. Until they have produced enough documentation actually warning of the exploit and where exactly it does so, it has not even been made a CVE candidate, released in any official advisory except SuSE. The Developers of OpenSSH do not even have an answer themselves but to upgrade to 3.3 for a mere workaround whereas 3.3 has fundemental issues of its own.
I would wait until its official before getting all too excited -perhaps look at http://online.securityfocus.com/advisories/4230
Ryan S.
-----Original Message----- From: Simon Oliver [mailto:simon.oliver@umist.ac.uk] Sent: Wednesday, June 26, 2002 9:48 AM To: suse-security@suse.com Subject: [suse-security] OpenSSH Vulnerability and Setting PrivilegeSeparation
- They are asking all users to upgrade to version 3.3 (sic), and enable the PrivilegeSeparation option.
I have some machines running sshd V3 (not-SuSE distro). So I downloaded 3.3p1 from openssh - there are two configure options to set privsep options during compilation, but what values should I use?
--with-privsep-path= --with-privsep-user=
Can these be overidden / supplied in sshd_config or must it be done at compile time. Also, are there any unforseen (by me) side effects?
-- Simon Oliver
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (2)
-
Peter Nixon -
Ryan Swenson