Re: OpenSSH Vulnerability - Upgrade to 3.7.1

2003-09-17 Thread Chris Purcell
You can get backported Red Hat RPMs from ftp://updates.redhat.com -- Chris Purcell, RHCE > http://zdnet.com.com/2100-1105_2-5077796.html?tag=zdfd.newsfeed > > http://openssh.org/ > > You can get the source from http://openssh.org. Good luck finding the > rpms. Let us know where you find them. >

OpenSSH Vulnerability - Upgrade to 3.7.1

2003-09-17 Thread Sevatio
http://zdnet.com.com/2100-1105_2-5077796.html?tag=zdfd.newsfeed http://openssh.org/ You can get the source from http://openssh.org. Good luck finding the rpms. Let us know where you find them. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/list

OpenSSH vulnerability -- disable ChallengeResponseAuthentication

2002-06-26 Thread Brandon Hutchinson
Hello all! I just saw a post on Bugtraq from ISS X-Force about the OpenSSH vulnerability. Here is an interesting excerpt: - ISS X-Force recommends that system administrators disable unused OpenSSH authentication mechanisms. Administrators can remove this vulnerability by disabling the

Re: RE: OpenSSH Vulnerability...activate Priv Separation ??

2002-06-26 Thread Jose Celestino
Words by Chavez Gutierrez, Freddy [Wed, Jun 26, 2002 at 09:11:52AM -0500]: > >the best thing to do is to upgrade to 3.3 and activate > >priv seperation. > > I already upgrade OpenSSH to version 3.3 but, > how can I activate Priv Separation??. Thanks. > On the /etc/ssh/sshd_config put/alter to

Re: OpenSSH Vulnerability...activate Priv Separation ??

2002-06-26 Thread Emmanuel Seyman
On Wed, Jun 26, 2002 at 09:11:52AM -0500, Chavez Gutierrez, Freddy wrote: > > I already upgrade OpenSSH to version 3.3 but, > how can I activate Priv Separation??. Thanks. add this line to /etc/ssh/sshd_config and restart sshd: UsePrivilegeSeparation yes Emmanuel __

RE: OpenSSH Vulnerability...activate Priv Separation ??

2002-06-26 Thread Chavez Gutierrez, Freddy
Title: RE: OpenSSH Vulnerability...activate Priv Separation ?? >the best thing to do is to upgrade to 3.3 and activate >priv seperation. I already upgrade OpenSSH to version 3.3 but, how can I activate Priv Separation??. Thanks. Freddy Chavez.

Re: OpenSSH Vulnerability

2002-06-26 Thread Emmanuel Seyman
On Wed, Jun 26, 2002 at 06:32:22AM -0700, Jonathan Bartlett wrote: > > Oh, yes, and does PAM work? This is what I get in /var/log/messages after upgrading to 3.3p1 . root@munshine ssh]# tail -4 /var/log/messages Jun 26 15:23:43 munshine sshd[31340]: Server listening on 0.0.0.0 port 22. Jun 26 15

Re: OpenSSH Vulnerability

2002-06-26 Thread Emmanuel Seyman
On Wed, Jun 26, 2002 at 09:01:30AM -0400, Thomas Porter wrote: > > 1.I activated privilege separation as recommended. > 2.I added 'Compression off' to sshd config file. Humm.. The man for ssh_config says the arguement must be "yes" or "no". Setting it to "no" made it work here. Thanks, T

Re: OpenSSH Vulnerability

2002-06-26 Thread Jonathan Bartlett
Oh, yes, and does PAM work? Jon On Wed, 26 Jun 2002, Thomas Porter wrote: > On Wed, Jun 26, 2002 at 10:15:44AM +0200, Emmanuel Seyman thoughtfully expounded: > > FWIW, after reading Theo's post, I downloaded OpenSSH 3.3 and installed > > it on my machine. I activated priv seperation, restarted

Re: OpenSSH Vulnerability

2002-06-26 Thread Jonathan Bartlett
Compiled with or without PAM? On Wed, 26 Jun 2002, Thomas Porter wrote: > On Wed, Jun 26, 2002 at 10:15:44AM +0200, Emmanuel Seyman thoughtfully expounded: > > FWIW, after reading Theo's post, I downloaded OpenSSH 3.3 and installed > > it on my machine. I activated priv seperation, restarted ssh

Re: OpenSSH Vulnerability

2002-06-26 Thread Thomas Porter
On Wed, Jun 26, 2002 at 10:15:44AM +0200, Emmanuel Seyman thoughtfully expounded: > FWIW, after reading Theo's post, I downloaded OpenSSH 3.3 and installed > it on my machine. I activated priv seperation, restarted ssh and tried > to scp a file from my machine. It failed. I downgraded back to the

Re: OpenSSH Vulnerability

2002-06-26 Thread Emmanuel Seyman
On Tue, Jun 25, 2002 at 04:00:40PM -0700, David Talkington wrote: > > Emmanuel Seyman wrote: > > >- We only have Theo's word that there is a bug to fix. > > That's pretty much the nutshell version (but that last one is a little > silly -- I don't think it's likely that he's risking his integrit

Re: OpenSSH Vulnerability

2002-06-25 Thread Emmanuel Seyman
On Tue, Jun 25, 2002 at 02:33:19PM -0600, Ashley M. Kirchner wrote: > > What position would that be? "Everyone to their own? Should they get > broken into, tough?" Priv seperation (the new feature in OpenSSH we're talking about) was intoduced in OpenSSH 3.3, released 3 days ago. - It has no

Re: OpenSSH Vulnerability

2002-06-25 Thread Ashley M. Kirchner
Brian Ashe wrote: > "You need to get version 3.3 that was just released and could be really > broken for your distro, spend a great deal of time fixing some of it to > hopefully reduce the potential damage, lose functionality that some people > may rely on, require people to modify the way their

Re[2]: OpenSSH Vulnerability

2002-06-25 Thread Brian Ashe
Hello Ashley, Tuesday, June 25, 2002, 4:33:19 PM, you textually orated: AMK> David Talkington wrote: >> This will be complicated, and I don't envy Red Hat's (and other >> vendors') position. AMK> What position would that be? "Everyone to their own? Should they get AMK> broken into, tough

Re: OpenSSH Vulnerability

2002-06-25 Thread Ashley M. Kirchner
David Talkington wrote: > This will be complicated, and I don't envy Red Hat's (and other > vendors') position. What position would that be? "Everyone to their own? Should they get broken into, tough?" -- W | I haven't lost my mind; it's backed up on tape somewhere. +---

Re: OpenSSH Vulnerability

2002-06-25 Thread David Talkington
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ray Parish wrote: >3.2.3p1-3 is the latest on Rawhide. >Hopefully something soon, RedHat? This will be complicated, and I don't envy Red Hat's (and other vendors') position. Upgrading alone isn't sufficient at this point; a potentially problematic

Re: OpenSSH Vulnerability

2002-06-25 Thread Ray Parish
3.2.3p1-3 is the latest on Rawhide. Hopefully something soon, RedHat? Ray - Original Message - From: "Ashley M. Kirchner" <[EMAIL PROTECTED]> To: "Red Hat Mailing List" <[EMAIL PROTECTED]> Sent: Tuesday, June 25, 2002 2:54 PM Subject: OpenSSH Vulnerabili

OpenSSH Vulnerability

2002-06-25 Thread Ashley M. Kirchner
Can we expect a new release any time soon? OpenSSH.org is urging everyone to upgrade to 3.3. RH's latest release is 3.1p1... -- W | I haven't lost my mind; it's backed up on tape somewhere. + Ashley M. Kirchner

Re: openssh vulnerability

2001-04-11 Thread David Talkington
-BEGIN PGP SIGNED MESSAGE- Peter Peltonen wrote: >I am using the openssh-2.5.2p2-1 RPMs downloaded from the OpenSSH download >site. > >I am not using the RPMs that came with RH7. So, the question is: Are the RPMs >that I'm using safe or should I upgrade to the ones that RH recently updat

openssh vulnerability

2001-04-11 Thread Peter Peltonen
I am using the openssh-2.5.2p2-1 RPMs downloaded from the OpenSSH download site. I am not using the RPMs that came with RH7. So, the question is: Are the RPMs that I'm using safe or should I upgrade to the ones that RH recently updated? I'm using the same version on both RH6.2 and RH7 -- if I n