Re: Close OpenSSH hole on a supported server without shutting down?
- In reply to: Andrea Venturoli : "Close OpenSSH hole on a supported server without shutting down?"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 03 Jul 2024 07:22:31 UTC
On 2024年07月03日 08:42, the silly Andrea Venturoli claimed to have said: > P.S. > Out of mere curiosity: > _ all articles I read say that this is a vulnerability found in OpenSSH’s > server in *glibc-based* Linux systems; > _ I would desume that non-glibc-based systems are not vulnerable; > _ but FreeBSD is??? For context, both glibc-based Linux distro's and FreeBSD, as well as macOS and a number of NetBSD ports, are volunerable because the SIGALRM handler calls syslog() function the exploit relies on. OpenBSD and musl-based Linux distro's are not volunerable, because OpenBSD uses syslog_r() instead, which they developed all the way back in 2001. And in the case of musl, its syslog implementation doesn't (sub)call async-signal-unsafe functions, nor dynamically allocates memory. -- lain. PGP public key: https://fair.moe/lain.asc