* [gentoo-dev] [Fwd: Multiple PAM vulnerabilities in portable OpenSSH]
@ 2003-09-23 13:21 99% Christian Gut
0 siblings, 0 replies; 1+ results
From: Christian Gut @ 2003-09-23 13:21 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 1668 bytes --]
http://bugs.gentoo.org/show_bug.cgi?id=29417
-----Forwarded Message-----
> From: Damien Miller <djm@cvs.openbsd.org>
> To: openssh-unix-announce@mindrot.org
> Cc: announce@openbsd.org, bugtraq@securityfocus.com, lwn@lwn.net, misc@openbsd.org, news@linuxsecurity.com, openssh-unix-dev@mindrot.org, pab@ct.heise.de, secureshell@securityfocus.com, technik@genua.de, timothy@monkey.org, webmaster@deadly.org
> Subject: Multiple PAM vulnerabilities in portable OpenSSH
> Date: Tue, 23 Sep 2003 06:40:25 -0600
>
> Subject: Portable OpenSSH Security Advisory: sshpam.adv
>
> This document can be found at: http://www.openssh.com/txt/sshpam.adv
>
> 1. Versions affected:
>
> Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
> vulnerabilities in the new PAM code. At least one of these bugs
> is remotely exploitable (under a non-standard configuration,
> with privsep disabled).
>
> The OpenBSD releases of OpenSSH do not contain this code and
> are not vulnerable. Older versions of portable OpenSSH are not
> vulnerable.
>
> 2. Solution:
>
> Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM
> support ("UsePam no" in sshd_config).
>
> Due to complexity, inconsistencies in the specification and
> differences between vendors' PAM implementations we recommend
> that PAM be left disabled in sshd_config unless there is a need
> for its use. Sites only using public key or simple password
> authentication usually have little need to enable PAM support.
--
Christian Gut <cycloon@is-root.org>
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [relevance 99%]
Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2003-09-23 13:21 99% [gentoo-dev] [Fwd: Multiple PAM vulnerabilities in portable OpenSSH] Christian Gut
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox