Nitro
Bodhisattva
Joined: 08 Apr 2002
Posts: 661
Location: San Francisco
|
 Posted: Thu Jun 27, 2002 2:35 am Post subject: [gentoo-announce] GLSA: OpenSSH |
 |
|
| Seemant Kulleen wrote: |
OVERVIEW
This bug can be exploited remotely if ChallengeResponseAuthentication
is enabled in sshd_config, allowing attackers to gain superuser access.
DETAIL
A vulnerability exists within the "challenge-response" authentication
mechanism in the OpenSSH daemon (sshd). This mechanism, part of the SSH2
protocol, verifies a user's identity by generating a challenge and
forcing the user to supply a number of responses. It is possible for a
remote attacker to send a specially-crafted reply that triggers an
overflow. Remote attackers can therefore gain superuser priveleges.
http://online.securityfocus.com/archive/1/278818/2002-06-23/2002-06-29/0
http://openssh.org/txt/preauth.adv
http://openssh.org/txt/iss.adv
Affected versions are: openssh-3.3_p1 and earlier.
SOLUTION
It is recommended that all Gentoo Linux users who are running openssh
update their systems as follows.
emerge --clean rsync
emerge openssh
emerge clean
|
Mailing list archive: http://lists.gentoo.org/pipermail/gentoo-announce/2002-June/000168.html
Also, I'd like to also mention the CERT Advisory: http://www.cert.org/advisories/CA-2002-18.html
_________________
- Kyle Manna
Please, please SEARCH before posting.
There are three kinds of people in the world: those who can count, and those who can't. |
|
News & Announcements
