I have to say, SuSE has done an excellent job under difficult circumstances in this matter. Thank you for looking out for us. -----Original Message----- From: Olaf Kirch [mailto:okir@suse.de] Sent: Wednesday, June 26, 2002 1:58 PM To: suse-security@suse.com Subject: [suse-security] More information on the OpenSSH vulnerability -----BEGIN PGP SIGNED MESSAGE----- ISS and the OpenSSH team just released advisories concerning the OpenSSH vulnerability. These advisories state that the vulnerability exists only if the package has been compiled with support for S/Key or BSDAUTH authentication. Inspecting the patches included in the OpenSSH advisory however show that there is a second vulnerability that can be exploited when interactive keyboard mode is enabled (via the PAMAuthenticationViaKbdInt option in sshd_config). Neither S/Key or BSDAUTH were enabled in previous RPMs released by SuSE (i.e. the OpenSSH 2.9.9p2 RPMs previously released on March 6, and the OpenSSH 3.0.2p1 RPMs released with SuSE Linux 8.0). Support for interactive keyboard mode is compiled in, and is off by default in recent RPMs. However, it can be enabled by the administrator. Which means that, in the default configuration, SuSE Linux users are not affected by this vulnerability. We will release another set of RPMs that fix this vulnerability soon. -----BEGIN PGP SIGNATURE----- Version: 2.6.3in Charset: noconv iQEVAwUBPRoAK3ey5gA9JdPZAQGPYwf+LM2z48HlQLHZBkKcKKjJPHyxVlK4JcFs vqyfcXTgXpjw1ja4NAZpYipMTCHC46IRVjiWHOxKTku2fyUjWe/w3/HdBnY7C51m Un2O7/LcxUrCLipnz6M8c+RzGoWbLQlne0Q8ohPkEcIIOIGBzVYQ+eHjKVY4QYDy +bCA/I+DhsS1QVmdgysNGWjuTd3oiUCYypb1ICLDhE2H0lD3su/HHzhJbFn+lT/a SKqlAwlYGcnL0+776gz1hx084uHKI29BvRaFDmtQ9MVbfDG/Tc/DqqtskPxtSsLL ZkvdPLyQOTjLxZkp7BBDH+1NSim+7t9xiYw8T2kYSsnRlZm8BreOlA== =LoIo -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here