>>>>> "Alex" == Alex McLintock <[EMAIL PROTECTED]> writes:
Alex> Sorry if this is old hat to everybody (I only get the digest
Alex> of this list once or twice a day so you may already be
Alex> discussing it) but....there is a vulnerability in recent
Alex> versions of OpenSSH.
We haven't discussed. Yes, it is important for anyone running versions
of OpenSSH between 3.0-3.2 who _doesn't_ have:
Alex> ChallengeResponseAuthentication no
in their sshd_config to upgrade now. Most sane distributions (like
Debian) install sshd with this line as Alex sent it, which means that
you aren't vulnerable to today's exploit. If you're running a standard
Red Hat sshd_config with OpenSSH 3.0-3.2, though, get upgrading.
OpenSSH 3.4 was released today, so it's worthwhile to upgrade to that
and enable privilege separation - at least, according to Theo. :)
Comedy point: openbsd.org now advertises 'One remote hole in the default
install, in nearly six years!' rather than the ever-present 'No remote
holes in the default install in five years!'.
- Chris.
--
$a="printf.net"; Chris Ball | chris@void.$a | www.$a | finger: chris@$a
"Blessings to the chap who invented ice cream, ginger-pop and the rest!
I'd rather invent things like that any day than rockets and bombs."
-- Julian, "Five on Finniston Farm"
