For us AIXers ...

Sandor W. Sklar ssklar at stanford.edu
Wed Jun 26 05:48:35 EST 2002


At 2:31 PM -0500 6/25/02, Ben Lindstrom wrote:
>On Tue, 25 Jun 2002, Sandor W. Sklar wrote:
>
>>  ... who are nervous because:
>>
>>  (a) it seems that there will be a widely-known vulnerability
>>  and/exploit for OpenSSH available in the coming days, and
>>
>>  (b) the advertised fix for the problem, privilege separation, doesn't
>>  seem to be working on AIX as of the latest release version of OpenSSH
>>  (based on the comments I've read; I haven't tried it yet) ...
>>
>
>moving aix_usrinfo() into do_setusercontext() is the fix.. And it's
>current in the CVS tree.  Mr Tucker was nice enough to provide the patch
>and verify it.
>
>The only downfall at this point is TTY= is not set by usrinfo().  At this
>moment I've not heard from anyone that has stated this is a problem in the
>short term.

Thank you so much!  Are there plans to do another "release" shortly 
(before the announcement of the "you'll be rooted" vulnerability) 
with that fix incorporated, or do I need to go with the CVS version? 
I'm hesitant to roll out "in-flux" code to my production systems, but 
I'll do what I got to do.

Thanks again, -S-
-- 
   Sandor W. Sklar  -  Unix Systems Administrator  -  Stanford University ITSS
   Non impediti ratione cogitationis.     http://whippet.stanford.edu/~ssklar/



More information about the openssh-unix-dev mailing list