OpenSSH Security Advisory (adv.token)

foo foo foomail123 at yahoo.com
Thu Apr 25 11:43:21 EST 2002


True, but..

1) I am not using Kerberos or such features.

2) the client is from OpenSSH2.3.1 (my earlier email)
    not  2.2 version.

3) The issue is that OpenSSH.2.5.2 and higher. is
   sending RSA key and 2.3.1 client complains of
   incorrect key lengh. (see my debug output).



--- Frank Smith <Frank.Smith at unilever.com> wrote:
> On Saturday, April 20, 2002 11:40 PM, Niels Provos
> [SMTP:provos at citi.umich.edu]
> wrote:
> > A buffer overflow exists in OpenSSH's sshd if sshd
> has been compiled
> > with Kerberos/AFS support and KerberosTgtPassing
> or AFSTokenPassing
> > has been enabled in the sshd_config file.  Ticket
> and token passing
> > is not enabled by default.
> > 
> > 1. Systems affected:
> > ...
> > 2. Impact:
> > 
> >         Remote users may gain privileged access
> for OpenSSH < 2.9.9
> > 
> >         Local users may gain privileged access for
> OpenSSH < 3.3
> > 
> >         No privileged access is possible for
> OpenSSH with
> > 	UsePrivsep enabled.
> > 
> > 3. Solution:
> > ...
> 
> from where did you get openssh version 3.3?  as of
> today (24 apr), openssh's
> website listed version 3.1p1 as the current version.
> 
> frank smith
> frank.smith at unilever.com
> 
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
>
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev


__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/



More information about the openssh-unix-dev mailing list