OpenSSH: multiple vulnerabilities in the new PAM code
Mike Tancsa
mike at sentex.net
Fri Sep 26 08:36:11 PDT 2003
Hi,
Are there plans for an updated advisory ? In the mean time, I take
it the same build instructions apply ?
---Mike
At 11:32 AM 24/09/2003, Jacques A. Vidrine wrote:
>On Wed, Sep 24, 2003 at 09:27:17AM -0500, D J Hawkey Jr wrote:
> > On Sep 24, at 09:20 AM, Jacques A. Vidrine wrote:
> > >
> > > On Wed, Sep 24, 2003 at 11:16:03AM +0200, Sheldon Hearn wrote:
> > > > On (2003/09/23 16:53), Haesu wrote:
> > > >
> > > > > Oh jee, here we go again. Hey, at least patched 3.5p1 on FreeBSD
> > > > > 4.8/4.9 are not effected :)
> > > >
> > > > Since -CURRENT's using a modified OpenSSH_3.6.1p1, I don't think this
> > > > issue affects FreeBSD at all.
> > >
> > > Unfortunately, it _does_ affect us. The PAM code in OpenSSH 3.7x was
> > > taken from FreeBSD's PAM code. des@ is working the issue now.
> >
> > But just "portable", right?
>
>No, not just OpenSSH-portable.
>
> > Or are any "core" OpenSSHes across various
> > FreeBSD releases also vulnerable?
>
>I'm only talking about the base system OpenSSH above (which is based
>on OpenSSH-portable), but both `openssh' and `openssh-portable' in the
>Ports Collection are likely affected, as they contain the same code
>(brought in by the port maintainer).
>
>Cheers,
>--
>Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal
>nectar at celabo.org . jvidrine at verio.net . nectar at freebsd.org . nectar at kth.se
>_______________________________________________
>freebsd-security at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
More information about the freebsd-security
mailing list