public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download: 
* [gentoo-dev] [Fwd: Multiple PAM vulnerabilities in portable OpenSSH]
@ 2003-09-23 13:21 99% Christian Gut
  0 siblings, 0 replies; 1+ results
From: Christian Gut @ 2003-09-23 13:21 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: text/plain, Size: 1668 bytes --]

http://bugs.gentoo.org/show_bug.cgi?id=29417
-----Forwarded Message-----
> From: Damien Miller <djm@cvs.openbsd.org>
> To: openssh-unix-announce@mindrot.org
> Cc: announce@openbsd.org, bugtraq@securityfocus.com, lwn@lwn.net, misc@openbsd.org, news@linuxsecurity.com, openssh-unix-dev@mindrot.org, pab@ct.heise.de, secureshell@securityfocus.com, technik@genua.de, timothy@monkey.org, webmaster@deadly.org
> Subject: Multiple PAM vulnerabilities in portable OpenSSH
> Date: Tue, 23 Sep 2003 06:40:25 -0600
> 
> Subject: Portable OpenSSH Security Advisory: sshpam.adv
> 
> This document can be found at:  http://www.openssh.com/txt/sshpam.adv
> 
> 1. Versions affected:
> 
>         Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple 
>         vulnerabilities in the new PAM code. At least one of these bugs 
>         is remotely exploitable (under a non-standard configuration, 
>         with privsep disabled). 
> 
>         The OpenBSD releases of OpenSSH do not contain this code and 
>         are not vulnerable. Older versions of portable OpenSSH are not 
>         vulnerable.
> 
> 2. Solution:
> 
>         Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM 
>         support ("UsePam no" in sshd_config). 
> 
>         Due to complexity, inconsistencies in the specification and 
>         differences between vendors' PAM implementations we recommend 
>         that PAM be left disabled in sshd_config unless there is a need 
>         for its use. Sites only using public key or simple password 
>         authentication usually have little need to enable PAM support.
-- 
Christian Gut <cycloon@is-root.org>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[relevance 99%]

Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2003-09-23 13:21 99% [gentoo-dev] [Fwd: Multiple PAM vulnerabilities in portable OpenSSH] Christian Gut

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox