|
Re: lug-bg: [Fwd: [Full-Disclosure] **NEW** OpenSSH Vuln Today]
- Subject: Re: lug-bg: [Fwd: [Full-Disclosure] **NEW** OpenSSH Vuln Today]
- From: Georgi Chorbadzhiyski <gf@xxxxxxxxxxx>
- Date: Wed, 24 Sep 2003 16:17:51 +0300
- Organization: Unix Solutions Ltd. (http://unixsol.org)
Plamen Tonev wrote:
On Wed, 24 Sep 2003 12:19:33 +0300
Georgi Chorbadzhiyski <gf@xxxxxxxxxxx> wrote:
Da ne govorim che poslednite
bugove, dosega nikoi ne e dokazal che sa remote exploitable, samo che
mogat da prichiniat DoS.
Sorry za loshata novina...dnes do 11h beshe taka...no veche ne:
It has been reported that multiple bugs and vulnerabilities exist in
the PAM implementation in the Portable OpenSSH code. At least one
issue has been confirmed exploitable when OpenSSH is configured with
"UsePam" and without "UsePrivilegeSeparation".
Predpolagam che ne e "in the wild" vse oshte ...no vse pak!
Pozdravi, Plamen
Slackware ne izpolzva pam :) taka che ne mi dreme...
Citat ot ChangeLog-a na slack-current
<quote>
n/openssh-3.7.1p2-i486-1.tgz: Upgraded to openssh-3.7.1p2.
This fixes security problems with PAM authentication. It also includes
several code cleanups from Solar Designer. Slackware does not use PAM and is
not vulnerable to any of the fixed problems.
Please indulge me for this brief aside (as requests for PAM are on the rise):
If you see a security problem reported which depends on PAM, you can be
glad you run Slackware. I think a better name for PAM might be SCAM, for
Swiss Cheese Authentication Modules, and have never felt that the small
amount of convenience it provides is worth the great loss of system
security. We miss out on half a dozen security problems a year by not
using PAM, but you can always install it yourself if you feel that
you're missing out on the fun. (No, don't do that)
OK, I'm done ranting here. :-)
I suppose this is still a:
(* Security fix *)
</quote>
:-)))
--
Georgi Chorbadzhiyski
http://georgi.unixsol.org/
============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================
|
|
|