-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick Warner wrote:
>telnetd is not owned or controlled by Sun. True, but only Sun can patch the Solaris implementation. That's the problem, and is why Sun admins are helpless in those situations. >In fact, telnetd was not the problem, login was the problem and >anything that called login, including some ssh programs, were >vulnerable. Yes, ssh was just as vulnerable as telnet in this >specific instance if password authentication was turned on. This is >specifically stated in the CERT advisory. I think that we might be talking about two different incidents. It is true that UseLogin exposes sshd to vulnerabilities in login, but that wasn't related to the telnet problem of last August. For the record, here is the Bugtraq report. To be fair, it does suggest that exploiting this on a Sun sparc would not be trivial. I don't know if an exploit for that platform exists, though there are exploits for other implementations. http://online.securityfocus.com/advisories/3463 Beyond this, I think we should probably conclude that we differ on what constitutes acceptable risk, and leave it at that. - -d - -- David Talkington PGP key: http://www.prairienet.org/~dtalk/0xCA4C11AD.pgp -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQA/AwUBPJI4BL9BpdPKTBGtEQITmgCgwPP+l1QfQC82Gi2Pia7KUMuSDlgAn3OO IIYeqeMdfoUxnZ8jK4J8wgTY =2LoO -----END PGP SIGNATURE----- _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
