OpenSSH 4.0 p1 and zlib vulnerability

Damien Miller djm at mindrot.org
Thu Jan 19 16:45:34 EST 2006


On Thu, 19 Jan 2006, Senthil Kumar wrote:

> Hi,
> 
> Im using OpenSSH 4.0 p1 linked with zlib version less then 1.2.2 in a number 
> of systems. These are all production systems where I can't upgrade the 
> service. I have a question that if I disable the compression by setting 
> "compression no"  in sshd_config, will I be able to overcome the Buffer 
> overflow vulnerability in zlib. I just glanced through the code and it seems 
> sshd is not affected if "compression no" is set. I would like to get inputs 
> from the list.

Yes, but you should disable compression for the clients too so they are
not subject to attacks from hostile servers.

OpenSSH 4.2 or greater supports the "zlib at openssh.com" method. This is safe
against pre-authentication attacks on the zlib code and therefore (if used
with privsep) means that even a valid but hostile user cannot use zlib bugs
to escalate privilege.

-d




More information about the openssh-unix-dev mailing list