logo       
Google Custom Search
    AddThis Social Bookmark Button
<prev   next>
-->

[Fink-users] Re: openssh vulnerability -- upgrade to the fink package?: msg#00272

Subject: [Fink-users] Re: openssh vulnerability -- upgrade to the fink package? 
At 12:23 Uhr -0400 26.06.2002, Chris Devers wrote:

[This is really aimed at fink-devel, but I've cc'ed -users too as
I'm not sure if I'm properly subscribed to -devel at the moment...]
Ugh, not good, in that case only send to fink-users, but please don't cross post unless it is absolutly necessary, and then, send the messages seperatly to each list. 


There's a remote security exploit in versions of OpenSSH prior to
this week's release of 3.4.

From: http://slashdot.org/article.pl?sid=02/06/26/1547242

    Dan writes: "OpenSSH 3.4 has been released and will be
    shortly available on all mirrors. All versions of
    OpenSSH's sshd between 2.9.9 and 3.3 contain an input
    validation error that can result in an integer overflow
    and privilege escalation. OpenSSH 3.4 fixes this bug."
    And kylus writes: "The previously-mentioned
    vulnerability in OpenSSH has been disclosed by ISS
    X-Force today on the BugTraq list. This is a potential
    remote root compromise, and while there is a workaround,
    it's advised that users upgrade to version 3.4 as soon
    as they can."

http://online.securityfocus.com/archive/1/278818/2002-06-23/2002-06-29/0

Fink is currently providing a package for 3.2.2, which is one of
the vulnerable versions. Will an upgrade be coming out, Max?
Yes. However, please folks, don't spread panic. ChallengeResponseAuthentication is off by default, and only when it is on does any danger exist. Hence for the vast majority of SSH users there is *NO* risk involved currently. Of course an updated package will be put out shortly, but it's not all that bad as one might get the impression. 




Max
--
-----------------------------------------------
Max Horn
Software Developer

email: <mailto:max@xxxxxxxxx>
phone: (+49) 6151-494890


-------------------------------------------------------
This sf.net email is sponsored by: Jabber Inc.
Don't miss the IM event of the season | Special offer for OSDN members! JabberConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn 
_______________________________________________
Fink-users mailing list
Fink-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/fink-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Caffeinated soap. No kidding.
http://thinkgeek.com/sf
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Fink-users] Re: openssh vulnerability -- upgrade to the fink package?, Max Horn
Next by Date:  Re: Solaris port of Fink, Chris Zubrzycki
Previous by Thread:  [Fink-users] Re: openssh vulnerability -- upgrade to the fink package?, Max Horn
Next by Thread:  How do I report failed packages?, Bror Fredrik Jönsson
Indexes:  [Date] [Thread] [Top] [All Lists]

    ^^^ ADDITIONAL NAVIGATION ^^^

  
Google Custom Search

Recently Viewed:
mail.spam.rbl.s...    php.seagull.gen...    culture.religio...    qnx.openqnx.dev...    gnome.love/2006...    bug-tracking.re...    user-groups.lin...    yellowdog.gener...    handhelds.ipaq....    kde.announce/20...    java.mx4j.devel...    xfree86.expert/...    recreation.cars...    text.xml.expat....    web.zope.zope3/...    version-control...    db.carob.cvs/20...    freebsd.perform...    ecos.cvs/2003-0...    linux.hotplug.d...    systemtap/2006-...    os.freebsd.secu...   
Home | blog view | USPTO Patent Archive (NEW!) | advertise | OSDir is an inevitable website. super tiny logo