Mailinglist Archive: opensuse-security-announce (7 mails)

< Previous Next >
More information on the OpenSSH vulnerability
  • From: Olaf Kirch <okir@xxxxxxx>
  • Date: Wed, 26 Jun 2002 18:05:27 +0000 (UTC)
  • Message-id: <20020626195733.A24749@xxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----


ISS and the OpenSSH team just released advisories concerning the
OpenSSH vulnerability. These advisories state that the vulnerability
exists only if the package has been compiled with support for S/Key
or BSDAUTH authentication. Inspecting the patches included in the
OpenSSH advisory however show that there is a second vulnerability that
can be exploited when interactive keyboard mode is enabled (via the
PAMAuthenticationViaKbdInt option in sshd_config).

Neither S/Key or BSDAUTH were enabled in previous RPMs released by
SuSE (i.e. the OpenSSH 2.9.9p2 RPMs previously released on March 6,
and the OpenSSH 3.0.2p1 RPMs released with SuSE Linux 8.0). Support for
interactive keyboard mode is compiled in, and is off by default in recent
RPMs. However, it can be enabled by the administrator.

Which means that, in the default configuration, SuSE Linux users are
not affected by this vulnerability.

We will release another set of RPMs that fix this vulnerability soon.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3in
Charset: noconv

iQEVAwUBPRoAK3ey5gA9JdPZAQGPYwf+LM2z48HlQLHZBkKcKKjJPHyxVlK4JcFs
vqyfcXTgXpjw1ja4NAZpYipMTCHC46IRVjiWHOxKTku2fyUjWe/w3/HdBnY7C51m
Un2O7/LcxUrCLipnz6M8c+RzGoWbLQlne0Q8ohPkEcIIOIGBzVYQ+eHjKVY4QYDy
+bCA/I+DhsS1QVmdgysNGWjuTd3oiUCYypb1ICLDhE2H0lD3su/HHzhJbFn+lT/a
SKqlAwlYGcnL0+776gz1hx084uHKI29BvRaFDmtQ9MVbfDG/Tc/DqqtskPxtSsLL
ZkvdPLyQOTjLxZkp7BBDH+1NSim+7t9xiYw8T2kYSsnRlZm8BreOlA==
=LoIo
-----END PGP SIGNATURE-----

< Previous Next >
List Navigation
This Thread
  • No further messages