[H-GEN] What can i use instead of SSHD?

Anthony Towns aj at azure.humbug.org.au
Thu Jun 27 02:31:40 EDT 2002


On Thu, Jun 27, 2002 at 04:11:20PM +1000, Sarah Walters wrote:
> > Today CERT tells me everything but OpenSSH 3.4 is remotly exploitable
> Just because there have been a lot of CERT emails
> about SSH in the last few days doesn't mean you should abandon it. 

The reason there've been quite so many mails about OpenSSH in the past
few days is that the usual process for security issues hasn't been
followed: rather than mail vendor-sec (a closed mailing list that goes
to the security people from the various Linux vendors and such) with the
details of the problem to allow independent review of the problems and
alternate fixes, there's been a lot of panicy and uninformative messages
telling vendors that they must upgrade to the very latest version of
OpenSSH immediately. Given that Theo de Raadt isn't a random goofball,
this has forced vendors to send out advisories without knowing all the
fact, and to repeatedly update them as more is known.

It's still not clear exactly what's affected. AIUI, the current indication
is that openssh in Debian 2.2 (potato, current stable) isn't vulnerable,
that the openssh in the forthcoming Debian 3.0 (woody, current testing)
may be vulnerable depending on how it's configured (which in turn
depends on when you installed it), although not to the problem that
was reported in the ISS advisory that came out yesterday but rather to
another related one. The initial upgrade (to 3.3p1) that was forced down
everyone's throats reportedly has most of these problems, but thanks
to the privlege separation code, limits their effect to being able to
run arbitrary code as an unprivleged user stuck in an empty chroot. This
shouldn't give them access to your machine, but could allow your machine
to be used as a base for exploiting other systems.

The main problem, though, is that instead of allowing the various vendors
any time at all to analyse this and prepare reviewed fixes, they've
been forced to prepare their fixes either without any information on
the problem at all, or with the problem posted to public mailing lists,
and thus the high probability of exploits being in wide use.

    ``One remote hole in the default install, in nearly 6 years!''
                                    -- www.openbsd.org

Cheers,
aj

-- 
Anthony Towns <aj at humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

 ``If you don't do it now, you'll be one year older when you do.''
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 350 bytes
Desc: not available
URL: <http://lists.humbug.org.au/pipermail/general/attachments/20020627/0fe05606/attachment.sig>


More information about the General mailing list