OpenSSH Security Advisory (adv.token)

Ben Lindstrom mouring at etoh.eviladmin.org
Tue Apr 23 23:20:29 EST 2002


Note the portable CVS does not have the patch defined in Niels' post.  I'm
still recollecting myself from my trip last week.

- Ben

On Tue, 23 Apr 2002, Damien Miller wrote:

>
>
> On Tue, 23 Apr 2002, Anders Nordby wrote:
>
> > Hi,
> >
> > On Sat, Apr 20, 2002 at 11:39:31PM -0400, Niels Provos wrote:
> > > 2. Impact:
> > >
> > >         Remote users may gain privileged access for OpenSSH < 2.9.9
> > >
> > >         Local users may gain privileged access for OpenSSH < 3.3
> > >
> > >         No privileged access is possible for OpenSSH with
> > > 	UsePrivsep enabled.
> >
> > OpenSSH 3.3? Is that a typo, or is it not ready yet? It's not on
> > ftp.openbsd.org.
>
> It is a little way from ready yet. Please try the CVS snapshots if you are
> interested :)
>
> Remember, unless you have compiled portable OpenSSH with KrbIV support
> (--with-kerberos4) *and* AFS support (--with-afs) *and* have set
> "kerberosTGTPassing yes" in sshd_config, then you are not vulnerable.
>
> -d
>
>
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>




More information about the openssh-unix-dev mailing list