[olug] Significant OpenSSH Vulnerability .. oh crap!
Brian Wiese
bwiese at cotse.com
Tue Jun 25 06:44:21 UTC 2002
Yes, just after the Apache vulnerability, now we have one from OpenSSH. =(
http://linuxsecurity.com/articles/cryptography_article-5185.html
Anyone else notice OpenSSH 3.3 was released a few days ago? Well... GO
GET IT! Yeah, I didn't know either until I read this... basically is says
we are all sol right now and there's not exactly a fix for the vuln,
they've been working on it and need more help from vendors, but the best
thing to do to minimize the impact is to upgrade to 3.3 and enable:
priv seperation in their ssh daemons, by setting this in your
/etc/ssh/sshd_config file:
UsePrivilegeSeparation yes
for obsd users:
http://www.openssh.org/openbsd.html
for linux and all others:
http://www.openssh.org/portable.html
what can debian users do? is there a quick fix yet?
peace,
Brian Wiese | bwiese at cotse.com | aim: unolinuxguru
------------------------------------------------------
GnuPG/PGP key 0x1E820A73 | "FREEDOM!" - Braveheart
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
For help contact olug-help at olug.org - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at olug.org
or `mail olug-unsubscribe at olug.org < /dev/null`
(c)1998-2002 OLUG http://www.olug.org
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
More information about the OLUG
mailing list