OpenSSH Security Advisory (adv.token)

Jason Stone jason at shalott.net
Thu Apr 25 11:43:25 EST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> > A buffer overflow exists in OpenSSH's sshd if sshd has been compiled
> > with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing
> > has been enabled in the sshd_config file.  Ticket and token passing
> > is not enabled by default.
> >
> > 1. Systems affected:
> > ...
> > 2. Impact:
> >
> >         Remote users may gain privileged access for OpenSSH < 2.9.9
> >
> >         Local users may gain privileged access for OpenSSH < 3.3
>
> from where did you get openssh version 3.3?  as of today (24 apr),
> openssh's website listed version 3.1p1 as the current version.

This is the forthcoming new release.  It's been being tested for a while
now and will be released... soon.


 -Jason

 -----------------------------------------------------------------------
 I worry about my child and the Internet all the time, even though she's
 too young to have logged on yet.  Here's what I worry about.  I worry
 that 10 or 15 years from now, she will come to me and say "Daddy, where
 were you when they took freedom of the press away from the Internet?"
	-- Mike Godwin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE8x189swXMWWtptckRAvBkAKD4Q1dO8PoNHdzmNHJ2/WO7ZMyofQCfYGgV
iCTxKtF8KySz44t55MW6apc=
=hnK+
-----END PGP SIGNATURE-----




More information about the openssh-unix-dev mailing list