On Wed, Sep 17, 2003 at 08:24:43AM +0300, Birzan George Cristian wrote:
According to the DSA, this is based on the 3.7 fix. OpenSSH's site lists
the only not vulnerable version as 3.7.1. In my mind, that means the ssh
version on security.debian.org right now is _STILL_ vulnerable. I'm not
a
On Tuesday 16 September 2003 22:30, Rich Puhek wrote:
[mix stable/testing/unstable]
This is what I usually do - and usually, it works quite fine. Right now,
though, I've been pulling in more and more from testing/unstable since some
things depend on the new glibc, and some other things randomly
Quoting Jan Niehusmann ([EMAIL PROTECTED]):
So I guess we all have to upgrade again. Didn't see packages with
patches derived from 3.7.1, yet.
I note:
http://incoming.debian.org/ssh_3.6.1p2-8_i386.deb
http://incoming.debian.org/ssh_3.6.1p2-8_mipsel.deb
On Wed, Sep 17, 2003 at 12:12:35AM -0700, Rick Moen wrote:
I note:
http://incoming.debian.org/ssh_3.6.1p2-8_i386.deb
http://incoming.debian.org/ssh_3.6.1p2-8_mipsel.deb
http://incoming.debian.org/ssh_3.6.1p2-8_powerpc.deb
...and would guess they're built from upstream's v. 3.7.1.
Adrian von Bidder wrote:
On Tuesday 16 September 2003 22:30, Rich Puhek wrote:
[mix stable/testing/unstable]
This is what I usually do - and usually, it works quite fine. Right now,
though, I've been pulling in more and more from testing/unstable since some
things depend on the new glibc, and
On Tue, Sep 16, 2003 at 01:10:34PM -0400, Dossy wrote:
On 2003.09.16, Christian Hammers [EMAIL PROTECTED] wrote:
The new version has already been installed. This was quick. Good work,
security team.
openssh (1:3.4p1-1.1) stable-security; urgency=high
* NMU by the security team.
On Tue, Sep 16, 2003 at 09:51:43PM +0200, Matthias Merz wrote:
So only one problem remains: The version in woody-proposed-updates is
1:3.4p1-1.woody.1 which is newer than the patched version. So I had to
manually downgrade my proposed-updates-version to get the fix.
(apt-get dist-upgrade
On Wed, Sep 17, 2003 at 08:24:43AM +0300, Birzan George Cristian wrote:
According to the DSA, this is based on the 3.7 fix. OpenSSH's site lists
the only not vulnerable version as 3.7.1. In my mind, that means the ssh
version on security.debian.org right now is _STILL_ vulnerable. I'm not
a
On Tuesday 16 September 2003 22:30, Rich Puhek wrote:
[mix stable/testing/unstable]
This is what I usually do - and usually, it works quite fine. Right now,
though, I've been pulling in more and more from testing/unstable since some
things depend on the new glibc, and some other things randomly
Quoting Jan Niehusmann ([EMAIL PROTECTED]):
So I guess we all have to upgrade again. Didn't see packages with
patches derived from 3.7.1, yet.
I note:
http://incoming.debian.org/ssh_3.6.1p2-8_i386.deb
http://incoming.debian.org/ssh_3.6.1p2-8_mipsel.deb
On Wed, Sep 17, 2003 at 12:12:35AM -0700, Rick Moen wrote:
I note:
http://incoming.debian.org/ssh_3.6.1p2-8_i386.deb
http://incoming.debian.org/ssh_3.6.1p2-8_mipsel.deb
http://incoming.debian.org/ssh_3.6.1p2-8_powerpc.deb
...and would guess they're built from upstream's v. 3.7.1.
Adrian von Bidder wrote:
On Tuesday 16 September 2003 22:30, Rich Puhek wrote:
[mix stable/testing/unstable]
This is what I usually do - and usually, it works quite fine. Right now,
though, I've been pulling in more and more from testing/unstable since some
things depend on the new glibc,
see tinyurl.com/nios
Sorry if this is a rehash, but I dont recall seeing a discussion and I'd
really like to think my stable boxes are safe :)
I know several people that are being attacked/had to patch ssh/filter
traffic.
--
Mental ([EMAIL PROTECTED])
The Torah... The Gospels... The
Hi,
Mental Patient wrote:
see tinyurl.com/nios
Sorry if this is a rehash, but I dont recall seeing a discussion and I'd
really like to think my stable boxes are safe :)
I know several people that are being attacked/had to patch ssh/filter
traffic.
According to Wichert, the security
On Tue, 16 Sep 2003, Alexander Neumann wrote:
According to Wichert, the security team is already working on an update.
Is there an emergency patch/workaround for this, if disabling ssh is not
an option? Are systems with Privilege Separation affected?
Thanks,
Thomas
--
To UNSUBSCRIBE, email
On Tue, Sep 16, 2003 at 04:00:30PM +0100, Thomas Horsten wrote:
On Tue, 16 Sep 2003, Alexander Neumann wrote:
According to Wichert, the security team is already working on an update.
Is there an emergency patch/workaround for this, if disabling ssh is not
an option? Are systems with
On Maw, 2003-09-16 at 16:26, Michael Stone wrote:
On Tue, Sep 16, 2003 at 04:00:30PM +0100, Thomas Horsten wrote:
Is there an emergency patch/workaround for this, if disabling ssh is not
an option?
No.
You could install Openssh 3.7 manually, or apply the patch mentioned at
On Tue, Sep 16, 2003 at 04:00:30PM +0100, Thomas Horsten wrote:
Is there an emergency patch/workaround for this, if disabling ssh is not
an option? Are systems with Privilege Separation affected?
There's already a new package on security.debian.org. I can't
vouch for it myself, but here's the
On Tue, Sep 16, 2003 at 11:26:52AM -0400, Michael Stone wrote:
On Tue, Sep 16, 2003 at 04:00:30PM +0100, Thomas Horsten wrote:
Is there an emergency patch/workaround for this, if disabling ssh is not
an option?
No.
Actually, there is a patch for buffer.c:
* Thomas Horsten ([EMAIL PROTECTED]) [030916 17:32]:
Is there an emergency patch/workaround for this, if disabling ssh is not
an option? Are systems with Privilege Separation affected?
Filtering access to allow only trusted machines. But please remember:
Each allowed machine could exploit your
On Tue, 16 Sep 2003, Steve Suehring wrote:
Actually, there is a patch for buffer.c:
http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/buffer.c.diff?r1=1.1.1.6r2=1.1.1.7f=h
I've applied that patch to woody's ssh source, rebuilt it, and installed
it on a number of servers already.
Mental Patient [EMAIL PROTECTED] [2003:09:16:10:22:01-0400] scribed:
see tinyurl.com/nios
Sorry if this is a rehash, but I dont recall seeing a discussion and I'd
really like to think my stable boxes are safe :)
I know several people that are being attacked/had to patch ssh/filter
On Tuesday, Sep 16, 2003, at 08:34 US/Pacific, Andreas Barth wrote:
* Thomas Horsten ([EMAIL PROTECTED]) [030916 17:32]:
Is there an emergency patch/workaround for this, if disabling ssh is
not
an option? Are systems with Privilege Separation affected?
Filtering access to allow only trusted
On Tue, 16 Sep 2003, Steve Suehring wrote:
Nice job to debian security team again.
Indeed. The level of commitment routinely shown by the folks on the
security team is nothing short of astounding.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble?
On 2003.09.16, Christian Hammers [EMAIL PROTECTED] wrote:
The new version has already been installed. This was quick. Good work,
security team.
openssh (1:3.4p1-1.1) stable-security; urgency=high
* NMU by the security team.
* Merge patch from OpenBSD to fix a security problem in
Ted Roby [EMAIL PROTECTED] writes:
Does this vulnerability require a login? Is a system safe if it does not
allow root login, and password logins?
Nobody knows the answer at the moment. There isn't any obvious way to
exploit the overflow (mind that the attacker cannot write arbitrary
data,
On Tue, Sep 16, 2003 at 01:10:34PM -0400, Dossy wrote:
Is 3.6.1p2-3 vulnerable? For those of us who want security, must we
downgrade to 3.4p1-1.1 or build from source after patching by hand? Or
will this security fix be applied to sarge as well?
I guess the patch will apply to sarge as well,
Actually, people have reported that there is an exploit, and in fact even OpenBSD is
vulnerable.
I would still patch ASAP. Best not to risk it.
It's probably a matter of time before a widely available exploit is released. Right
now it seems
it's in the hands of a select few, but that will
* Dossy ([EMAIL PROTECTED]) wrote:
On 2003.09.16, Christian Hammers [EMAIL PROTECTED] wrote:
The new version has already been installed. This was quick. Good work,
security team.
openssh (1:3.4p1-1.1) stable-security; urgency=high
* NMU by the security team.
* Merge patch
On Tue, Sep 16, 2003 at 07:29:33PM +0200, Jan Niehusmann wrote:
On Tue, Sep 16, 2003 at 01:10:34PM -0400, Dossy wrote:
Is 3.6.1p2-3 vulnerable? For those of us who want security, must we
downgrade to 3.4p1-1.1 or build from source after patching by hand? Or
will this security fix be
* Ted Roby ([EMAIL PROTECTED]) [030916 19:05]:
Does this vulnerability require a login? Is a system safe if it does not
allow root login, and password logins?
No. (And: The patch is uploaded to stable-security, and to unstable,
so just upgrade.)
Cheers,
Andi
--
On 2003.09.16, Stephen Frost [EMAIL PROTECTED] wrote:
Is 3.6.1p2-3 vulnerable? For those of us who want security, must we
downgrade to 3.4p1-1.1 or build from source after patching by hand? Or
will this security fix be applied to sarge as well?
There's at least a version on
On Tue, 16 Sep 2003, Josh Carroll wrote:
Actually, people have reported that there is an exploit, and in fact
even OpenBSD is vulnerable.
A number of people have claimed that others have said it is exploitable.
This is quite a common occurance with well publicised exploits.
I've seen no proof
Dossy wrote:
On 2003.09.16, Stephen Frost [EMAIL PROTECTED] wrote:
Is 3.6.1p2-3 vulnerable? For those of us who want security, must we
downgrade to 3.4p1-1.1 or build from source after patching by hand? Or
will this security fix be applied to sarge as well?
There's at least a version on
Quoting Dossy ([EMAIL PROTECTED]):
Eek. So, if we want to run secure systems, we either have to run
unstable (and all the troubles that comes with) or stable?
The Security Team FAQ addresses this:
http://www.debian.org/security/faq#testing
Q: How is security handled for testing and
* Dossy ([EMAIL PROTECTED]) wrote:
Eek. So, if we want to run secure systems, we either have to run
unstable (and all the troubles that comes with) or stable? I find that
Old news... Sorry.
Stephen
pgp0.pgp
Description: PGP signature
TongKe Xue [EMAIL PROTECTED] writes:
When I read slashdot this morning, I thought the article titled
New ssh Exploit in the Wild implied that an exploit was already out
...
Exactly.
or does in the Wild generally mean it's theoretically possible,
but not necessairly done yet?
No, quite
Hello there,
Christian Hammers schrieb:
On Tue, Sep 16, 2003 at 04:00:30PM +0100, Thomas Horsten wrote:
On Tue, 16 Sep 2003, Alexander Neumann wrote:
According to Wichert, the security team is already working on an update.
The new version has already been installed. This was quick.
On Tue, Sep 16, 2003 at 05:31:06PM +0200, Christian Hammers wrote:
The new version has already been installed. This was quick. Good work,
security team.
openssh (1:3.4p1-1.1) stable-security; urgency=high
* NMU by the security team.
* Merge patch from OpenBSD to fix a security
see tinyurl.com/nios
Sorry if this is a rehash, but I dont recall seeing a discussion and I'd
really like to think my stable boxes are safe :)
I know several people that are being attacked/had to patch ssh/filter
traffic.
--
Mental ([EMAIL PROTECTED])
The Torah... The Gospels... The
Hi,
Mental Patient wrote:
see tinyurl.com/nios
Sorry if this is a rehash, but I dont recall seeing a discussion and I'd
really like to think my stable boxes are safe :)
I know several people that are being attacked/had to patch ssh/filter
traffic.
According to Wichert, the security
On Tue, 16 Sep 2003, Alexander Neumann wrote:
According to Wichert, the security team is already working on an update.
Is there an emergency patch/workaround for this, if disabling ssh is not
an option? Are systems with Privilege Separation affected?
Thanks,
Thomas
On Tue, Sep 16, 2003 at 04:00:30PM +0100, Thomas Horsten wrote:
Is there an emergency patch/workaround for this, if disabling ssh is not
an option?
No.
Are systems with Privilege Separation affected?
Yes, as far as I know.
Mike Stone
On Tue, Sep 16, 2003 at 04:00:30PM +0100, Thomas Horsten wrote:
On Tue, 16 Sep 2003, Alexander Neumann wrote:
According to Wichert, the security team is already working on an update.
Is there an emergency patch/workaround for this, if disabling ssh is not
an option? Are systems with
On Tue, Sep 16, 2003 at 11:26:52AM -0400, Michael Stone wrote:
On Tue, Sep 16, 2003 at 04:00:30PM +0100, Thomas Horsten wrote:
Is there an emergency patch/workaround for this, if disabling ssh is not
an option?
No.
Actually, there is a patch for buffer.c:
On Maw, 2003-09-16 at 16:26, Michael Stone wrote:
On Tue, Sep 16, 2003 at 04:00:30PM +0100, Thomas Horsten wrote:
Is there an emergency patch/workaround for this, if disabling ssh is not
an option?
No.
You could install Openssh 3.7 manually, or apply the patch mentioned at
* Thomas Horsten ([EMAIL PROTECTED]) [030916 17:32]:
Is there an emergency patch/workaround for this, if disabling ssh is not
an option? Are systems with Privilege Separation affected?
Filtering access to allow only trusted machines. But please remember:
Each allowed machine could exploit your
On Tue, Sep 16, 2003 at 04:49:19PM +0100, Thomas Horsten wrote:
Thanks, apt-get upgrade worked for me. I guess we'll find out soon enough
if it was the correct patch...
Good work on getting it integrated so quickly!
Heh. I can't take any credit for this. That's the work of the debian
Mental Patient [EMAIL PROTECTED] [2003:09:16:10:22:01-0400] scribed:
see tinyurl.com/nios
Sorry if this is a rehash, but I dont recall seeing a discussion and I'd
really like to think my stable boxes are safe :)
I know several people that are being attacked/had to patch ssh/filter
On Tuesday, Sep 16, 2003, at 08:34 US/Pacific, Andreas Barth wrote:
* Thomas Horsten ([EMAIL PROTECTED]) [030916 17:32]:
Is there an emergency patch/workaround for this, if disabling ssh is
not
an option? Are systems with Privilege Separation affected?
Filtering access to allow only
On Tue, 16 Sep 2003, Steve Suehring wrote:
Nice job to debian security team again.
Indeed. The level of commitment routinely shown by the folks on the
security team is nothing short of astounding.
On 2003.09.16, Christian Hammers [EMAIL PROTECTED] wrote:
The new version has already been installed. This was quick. Good work,
security team.
openssh (1:3.4p1-1.1) stable-security; urgency=high
* NMU by the security team.
* Merge patch from OpenBSD to fix a security problem in
Ted Roby [EMAIL PROTECTED] writes:
Does this vulnerability require a login? Is a system safe if it does not
allow root login, and password logins?
Nobody knows the answer at the moment. There isn't any obvious way to
exploit the overflow (mind that the attacker cannot write arbitrary
data,
On Tue, Sep 16, 2003 at 01:10:34PM -0400, Dossy wrote:
Is 3.6.1p2-3 vulnerable? For those of us who want security, must we
downgrade to 3.4p1-1.1 or build from source after patching by hand? Or
will this security fix be applied to sarge as well?
I guess the patch will apply to sarge as well,
Actually, people have reported that there is an exploit, and in fact even
OpenBSD is vulnerable.
I would still patch ASAP. Best not to risk it.
It's probably a matter of time before a widely available exploit is released.
Right now it seems
it's in the hands of a select few, but that will
* Dossy ([EMAIL PROTECTED]) wrote:
On 2003.09.16, Christian Hammers [EMAIL PROTECTED] wrote:
The new version has already been installed. This was quick. Good work,
security team.
openssh (1:3.4p1-1.1) stable-security; urgency=high
* NMU by the security team.
* Merge patch
On Tue, Sep 16, 2003 at 07:29:33PM +0200, Jan Niehusmann wrote:
On Tue, Sep 16, 2003 at 01:10:34PM -0400, Dossy wrote:
Is 3.6.1p2-3 vulnerable? For those of us who want security, must we
downgrade to 3.4p1-1.1 or build from source after patching by hand? Or
will this security fix be
* Ted Roby ([EMAIL PROTECTED]) [030916 19:05]:
Does this vulnerability require a login? Is a system safe if it does not
allow root login, and password logins?
No. (And: The patch is uploaded to stable-security, and to unstable,
so just upgrade.)
Cheers,
Andi
--
On 2003.09.16, Stephen Frost [EMAIL PROTECTED] wrote:
Is 3.6.1p2-3 vulnerable? For those of us who want security, must we
downgrade to 3.4p1-1.1 or build from source after patching by hand? Or
will this security fix be applied to sarge as well?
There's at least a version on
Hello,
I don't really know much about computer security, but I do have ssh
installed on my computer so I'm somewhat concerned, please forgive my
stupidity if I ask questions that seem stupid, ignorant or trivial.
When I read slashdot this morning, I thought the article titled
New ssh Exploit
Quoting Stephen Frost ([EMAIL PROTECTED]):
There's at least a version on incoming.debian.org which has the version
for unstable. I don't know what to tell you about testing/sarge. I'm
sure it will be in before release but beyond that I've no idea when it
will make it into testing.
The
On Tue, 16 Sep 2003, Josh Carroll wrote:
Actually, people have reported that there is an exploit, and in fact
even OpenBSD is vulnerable.
A number of people have claimed that others have said it is exploitable.
This is quite a common occurance with well publicised exploits.
I've seen no proof
Josh Carroll [EMAIL PROTECTED] writes:
Actually, people have reported that there is an exploit, and in fact
even OpenBSD is vulnerable.
Yes, I've seen these claims, but you have to keep in mind that not
everyone who posts to mailing lists is entirely honest. 8-)
Early claims such as *BDDs,
Christian Hammers [EMAIL PROTECTED] écrivait (wrote) :
On Tue, Sep 16, 2003 at 04:00:30PM +0100, Thomas Horsten wrote:
On Tue, 16 Sep 2003, Alexander Neumann wrote:
According to Wichert, the security team is already working on an update.
Is there an emergency patch/workaround for
Dossy wrote:
On 2003.09.16, Stephen Frost [EMAIL PROTECTED] wrote:
Is 3.6.1p2-3 vulnerable? For those of us who want security, must we
downgrade to 3.4p1-1.1 or build from source after patching by hand? Or
will this security fix be applied to sarge as well?
There's at least a version on
TongKe Xue [EMAIL PROTECTED] writes:
When I read slashdot this morning, I thought the article titled
New ssh Exploit in the Wild implied that an exploit was already out
...
Exactly.
or does in the Wild generally mean it's theoretically possible,
but not necessairly done yet?
No, quite
On Tue, Sep 16, 2003 at 11:59:34AM -0700, TongKe Xue wrote:
Hello,
Hi,
On a slightly off topic note, I'm thinking about running an
ftp/http/ssh server for personal use in college. What precautionary
measures should I take, or rather can I take? From reading over the
various Slashdot
Hello there,
Christian Hammers schrieb:
On Tue, Sep 16, 2003 at 04:00:30PM +0100, Thomas Horsten wrote:
On Tue, 16 Sep 2003, Alexander Neumann wrote:
According to Wichert, the security team is already working on an update.
The new version has already been installed. This was quick.
68 matches
Mail list logo