On Wed, Jun 26, 2002 at 09:51:05PM -0700, Ben Rosenberg wrote:
* Robert C. Paulsen Jr. (robert@paulsenonline.net) [020626 18:31]:
::Well, there was a security notice recommending an update. If there is no ::exposure why update?
Please check out.
www.slashdot.org linuxtoday.com techweb.com
and about 100 other sites for information about the OpenSSH root exploit that was discovered.
ok, these three plus about 100 other are right and Olaf Kirch in <http://lists.suse.com/archive/suse-security/2002-Jun/0399.html> saying: ISS and the OpenSSH team just released advisories concerning the OpenSSH vulnerability. These advisories state that the vulnerability exists only if the package has been compiled with support for S/Key or BSDAUTH authentication. Inspecting the patches included in the OpenSSH advisory however show that there is a second vulnerability that can be exploited when interactive keyboard mode is enabled (via the PAMAuthenticationViaKbdInt option in sshd_config). Neither S/Key or BSDAUTH were enabled in previous RPMs released by SuSE (i.e. the OpenSSH 2.9.9p2 RPMs previously released on March 6, and the OpenSSH 3.0.2p1 RPMs released with SuSE Linux 8.0). Support for interactive keyboard mode is compiled in, and is off by default in recent RPMs. However, it can be enabled by the administrator. Which means that, in the default configuration, SuSE Linux users are not affected by this vulnerability. is wrong. Thanks, -Kastus