Maak er maar 95% van indien de geruchten dat er een exploit voor Open SSH 2.9p2 is.

Enfin happy hunting

Wel grappig natuurlijk dat er nu niemand roept dat Un*x-beheerders te lui zijn om te patchen :p

Peter

gewoon updaten naar 2.9.9p2


Groetjes..een worst.

Is dat wel zo?

-------- Original Message --------
Subject: OpenSSH 3.0.2 fixes UseLogin vulnerability
Resent-Date: Tue, 4 Dec 2001 16:05:05 +0100
Resent-From: [email]Markus_Friedl@genua.de[/email]
Resent-To: [email]security-announce@openbsd.org[/email]
Date: Tue, 4 Dec 2001 13:48:19 +0100
From: Markus Friedl <Markus_Friedl@genua.de>
Reply-To: [email]openssh@openbsd.org[/email]
To: [email]security-announce@openbsd.org[/email]

OpenSSH 3.0.2 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

We would like to thank the OpenSSH community for their continued
support and encouragement.

Important Changes:
==================

This release fixes a vulnerability in the UseLogin option
of OpenSSH. This option is not enabled in the default
installation of OpenSSH.

However, if UseLogin is enabled by the administrator, all
versions of OpenSSH prior to 3.0.2 may be vulnerable to
local attacks.

The vulnerability allows local users to pass environment
variables (e.g. LD_PRELOAD) to the login process. The login
process is run with the same privilege as sshd (usually
with root privilege).

Do not enable UseLogin on your machines or disable UseLogin
again in /etc/sshd_config:
UseLogin no

We also have received many reports about attacks against the crc32
bug. This bug has been fixed about 12 months ago in OpenSSH 2.3.0.
However, these attacks cause non-vulnerable daemons to chew a lot
of cpu since the crc32 attack sends a tremendously large amount of
data which must be processed.