OpenSSH Security Advisory (adv.token)
Damien Miller
djm at mindrot.org
Tue Apr 23 17:16:29 EST 2002
On Tue, 23 Apr 2002, Anders Nordby wrote:
> Hi,
>
> On Sat, Apr 20, 2002 at 11:39:31PM -0400, Niels Provos wrote:
> > 2. Impact:
> >
> > Remote users may gain privileged access for OpenSSH < 2.9.9
> >
> > Local users may gain privileged access for OpenSSH < 3.3
> >
> > No privileged access is possible for OpenSSH with
> > UsePrivsep enabled.
>
> OpenSSH 3.3? Is that a typo, or is it not ready yet? It's not on
> ftp.openbsd.org.
It is a little way from ready yet. Please try the CVS snapshots if you are
interested :)
Remember, unless you have compiled portable OpenSSH with KrbIV support
(--with-kerberos4) *and* AFS support (--with-afs) *and* have set
"kerberosTGTPassing yes" in sshd_config, then you are not vulnerable.
-d
More information about the openssh-unix-dev
mailing list