Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] lastest SuSE openssh update
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Wed, 11 Sep 2002 13:01:12 +0200 (MEST)
  • Message-id: <Pine.LNX.4.44.0209111255340.31771-100000@xxxxxxxxxxxx>
Hi Thomas,


> Hi,
>
> i just noted that there is a new openssh package
> (openssh-3.4p1-78.i386.rpm) flagged as "security fix". The description is:
>
> "Description: Fix for a malfunction in sshd with relation to sshd
> configuration option "PermitRootLogin forced-commands-only". This update
> also contains security fixes from a former update"
>
> So i guess youre only affected if you set PermitRootLogin to
> forced-commands-only in your sshd.conf
>
> I guess im on the sure side when all my server have PermitRootLogin set
> to no. I quickly checked the openssh.org site, announce and dev lists,
> but didnt find any relevant details (didnt see any in Bugtraq and
> Vulndev also if i remember correctly, but i only did a quick check).
>
> Are there any detailed informations about this issue? Or ist it SuSE
> specific (and if it is, im interested why :P )
>

It's not SuSE-specific, no. Basically, the reason for the update was that
you were kicked out after authentification when running the specified
command, without any further notice. This should actually work, so it
should do more than what it does. It's a non-security-critical malfunction
that we liked to have fixed in the world.

Sebastian, can you please make a brief note in section 2) of the upcoming
announcement about the new openssh-3.4p1 package in the 8.0 update tree?


>
> Thanks,
>
> Tom

Thanks,
Roman.
--
- -
| Roman Drahtm├╝ller <draht@xxxxxxx> // "You don't need eyes to see, |
SuSE Linux AG - Security Phone: // you need vision!"
| N├╝rnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -


< Previous Next >
References