SSHD
Karsten W. Rohrbach
karsten at rohrbach.de
Thu Jun 27 17:00:57 UTC 2002
Jeremy T. Bouse(Jeremy.Bouse at UnderGrid.net)@2002.06.26 13:40:28 +0000:
> Just be sure you read the full advisory and look deep into it
> and your own configuration. Recent news has come to light which appears
> that it is most *BSD OS flavors and those using BSD_AUTH and SKEY. Most
> often these are not enabled by default on non-BSD OSes.
according to several discussions that took part in the last 48 hours,
the flaw fixed in 3.4 might also impact on systems using PAM for
authenticating ssh logins; it appears to me that the involved group of
researchers did not test operating systems other than the free *BSDs.
CA-2002-18 has some more vendor specific information:
http://www.cert.org/advisories/CA-2002-18.html
sure, it's a critical bug, but one should not oversee the apache chunk
handling vulnerability published in CA-2002-17 as it has been integrated
into skr1ptk1dd13's "tools" already, apparently. depending on your
site's policy you probably have tight restrictions on ssh access, but
http is probably allowed from 0/0 so it might be even more critical.
regards,
/k
--
> [X] <-- nail here for new monitor
WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/
GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6
REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46
REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44
My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/
Please do not remove my address from To: and Cc: fields in mailing lists. 10x
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20020627/db23d427/attachment.sig>
More information about the NANOG
mailing list