Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
- -----------------------------------------------------------------------
GLSA: GENTOO LINUX SECURITY ANNOUNCEMENT
- -----------------------------------------------------------------------
PACKAGE : OpenSSH
SUMMARY : security vulnerability in openssh
DATE : Thu Jun 27 02:03:04 UTC 2002
- -----------------------------------------------------------------------
OVERVIEW
This bug can be exploited remotely if ChallengeResponseAuthentication
is enabled in sshd_config, allowing attackers to gain superuser access.
DETAIL
A vulnerability exists within the "challenge-response" authentication
mechanism in the OpenSSH daemon (sshd). This mechanism, part of the SSH2
protocol, verifies a user's identity by generating a challenge and
forcing the user to supply a number of responses. It is possible for a
remote attacker to send a specially-crafted reply that triggers an
overflow. Remote attackers can therefore gain superuser priveleges.
http://online.securityfocus.com/archive/1/278818/2002-06-23/2002-06-29/0
http://openssh.org/txt/preauth.adv
http://openssh.org/txt/iss.adv
Affected versions are: openssh-3.3_p1 and earlier.
SOLUTION
It is recommended that all Gentoo Linux users who are running openssh
update their systems as follows.
emerge --clean rsync
emerge openssh
emerge clean
- ------------------------------------------------------------------------
lostlogic@g.o
woodchip@g.o
seemant@g.o
drobbins@g.o
- ------------------------------------------------------------------------
|
|
