anybody out there who got the exploit under http://online.securityfocus.com/bid/4560 to work against ssh 3.x.x? thomas Thomas Springer
Hi! On Mon, 22 Apr 2002, Thomas Springer wrote:
anybody out there who got the exploit under http://online.securityfocus.com/bid/4560 to work against ssh 3.x.x?
More interesting for me at the moment: is openssh-2.9.9p2, as supplied by SuSE on the update server, vulnerable? If I understand the bugtraq posting (of 19-April-2002) correctly, the bug is somewhre in the Kerberos token handling; apparently, at least the SuSE 7.2 version was compiled with Kerberos support disabled (all Kerberos-related options I tried were answered with an error message), so this version should be safe - right? Martin
* Martin Köhling (mk@lw1.cc-computer.de) [020422 07:46]: :: ::More interesting for me at the moment: is openssh-2.9.9p2, as supplied by ::SuSE on the update server, vulnerable? No it's not vulnerable. SuSE tends to patch the same version numbered RPM as not to break deps. The 2.9.9 rpm is full patched and safe. As for 3.X being vulnerable..it's 3.0.2 and below..3.1 isn't. -=Ben --=====-----=====-- mailto:ben@whack.org --=====-- "I've never been quarantined. But the more I look around the more I think it might not be a bad thing." -GC --=====-----=====--
On Mon, 22 Apr 2002, Ben Rosenberg wrote:
* Martin Köhling (mk@lw1.cc-computer.de) [020422 07:46]: :: ::More interesting for me at the moment: is openssh-2.9.9p2, as supplied by ::SuSE on the update server, vulnerable?
No it's not vulnerable. SuSE tends to patch the same version numbered RPM as not to break deps. The 2.9.9 rpm is full patched and safe.
I *think* you're making a mistake here: this is (apparently) a *new* bug - SuSE didn't have time to fix anything yet!
As for 3.X being vulnerable..it's 3.0.2 and below..3.1 isn't.
Umm, no; this is from the openssh announcement list (I got it today): ~~~~~~~~~~~~cut~~~~~~~~~~~~~~~~~ From provos@citi.umich.edu Tue Apr 23 11:01:29 2002 Date: Sat, 20 Apr 2002 23:39:31 -0400 From: Niels Provos <provos@citi.umich.edu> Subject: [openssh-unix-announce] OpenSSH Security Advisory (adv.token) A buffer overflow exists in OpenSSH's sshd if sshd has been compiled with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled by default. 1. Systems affected: All Versions of OpenSSH compiled with AFS/Kerberos support and ticket/token passing enabled contain a buffer overflow. Ticket/Token passing is disabled by default and available only in protocol version 1. 2. Impact: Remote users may gain privileged access for OpenSSH < 2.9.9 Local users may gain privileged access for OpenSSH < 3.3 No privileged access is possible for OpenSSH with UsePrivsep enabled. 3. Solution: Apply the following patch and replace radix.c with http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18 4. Credits: kurt@seifried.org for notifying the OpenSSH team. http://mantra.freeweb.hu/ ~~~~~~~~~~~~cut~~~~~~~~~~~~~~~~~ So I *think* the SuSE version might be safe - not because it's already patched, but because SuSE didn't compile in Kerberos support; in addition, according to the advisory, only protocol version 1 is affected - disabling this might be a good idea anyway. (No idea what "UsePrivSep" means - some new openssh 3.x feature?) Cheers Martin
participants (3)
-
Ben Rosenberg -
Martin Köhling -
Thomas Springer