[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Upcoming OpenSSH vulnerability
Perhaps you might read a little closer:
"There is an upcoming OpenSSH vulnerability that we're working on with ISS.
Details will be published early next week."
Also the term "upcoming" might have been a big clue.
The instructions for the approved patching method is thus:
Wait for the patch!
In the meantime i'd be swell of you to enable privsep which is outlined so
swellfully (yep, I said swellfully) in the advisory.
All you need to do is add
UsePrivilegeSeparation yes
to your /etc/ssh/sshd_config file:
and this magic might be helpful:
mkdir /var/empty
chown root:sys /var/empty
chmod 755 /var/empty
groupadd sshd
useradd -g sshd sshd
http://www.eviladmin.org/cgi-bin/cvsweb.cgi/README.privsep?rev=1.1&content-t
ype=text/x-cvsweb-markup might be of some help...
Lastly, I wouldn't say they're strangely quite about it... they're being
cautious and wise. Perhaps letting the vendors of OS's that don'y play well
with openssh have some time to sort out thier shit.
*shrugs*
- nathan
----- Original Message -----
From: "Adrian Close" <adrian@close.wattle.id.au>
To: <misc@openbsd.org>
Sent: Monday, June 24, 2002 11:32 PM
Subject: Re: Upcoming OpenSSH vulnerability
> On Mon, 24 Jun 2002, Theo de Raadt wrote:
>
> > However, everyone should update to OpenSSH 3.3 immediately, and enable
>
> OK. Can someone in the know please post some instructions on the approved
> patching method?
>
> I see nothing in http://www.openbsd.org/errata.html about this, nor can I
> find any useful CVS tags in src/usr.bin/ssh... The FAQ at OpenSSH.com is
> also strangely quiet on the issue of upgrading.
>
> Thanks,
>
> Adrian Close email: adrian@close.wattle.id.au
> 1 Old Gippsland Rd. web: http://www.close.wattle.id.au/~adrian
> Lilydale, VIC, 3140, Australia mobile: +61 412 385 201