| 1 |
http://bugs.gentoo.org/show_bug.cgi?id=29417 |
| 2 |
-----Forwarded Message----- |
| 3 |
> From: Damien Miller <djm@×××××××××××.org> |
| 4 |
> To: openssh-unix-announce@×××××××.org |
| 5 |
> Cc: announce@×××××××.org, bugtraq@×××××××××××××.com, lwn@×××.net, misc@×××××××.org, news@×××××××××××××.com, openssh-unix-dev@×××××××.org, pab@××××××××.de, secureshell@×××××××××××××.com, technik@×××××.de, timothy@××××××.org, webmaster@××××××.org |
| 6 |
> Subject: Multiple PAM vulnerabilities in portable OpenSSH |
| 7 |
> Date: Tue, 23 Sep 2003 06:40:25 -0600 |
| 8 |
> |
| 9 |
> Subject: Portable OpenSSH Security Advisory: sshpam.adv |
| 10 |
> |
| 11 |
> This document can be found at: http://www.openssh.com/txt/sshpam.adv |
| 12 |
> |
| 13 |
> 1. Versions affected: |
| 14 |
> |
| 15 |
> Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple |
| 16 |
> vulnerabilities in the new PAM code. At least one of these bugs |
| 17 |
> is remotely exploitable (under a non-standard configuration, |
| 18 |
> with privsep disabled). |
| 19 |
> |
| 20 |
> The OpenBSD releases of OpenSSH do not contain this code and |
| 21 |
> are not vulnerable. Older versions of portable OpenSSH are not |
| 22 |
> vulnerable. |
| 23 |
> |
| 24 |
> 2. Solution: |
| 25 |
> |
| 26 |
> Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM |
| 27 |
> support ("UsePam no" in sshd_config). |
| 28 |
> |
| 29 |
> Due to complexity, inconsistencies in the specification and |
| 30 |
> differences between vendors' PAM implementations we recommend |
| 31 |
> that PAM be left disabled in sshd_config unless there is a need |
| 32 |
> for its use. Sites only using public key or simple password |
| 33 |
> authentication usually have little need to enable PAM support. |
| 34 |
-- |
| 35 |
Christian Gut <cycloon@×××××××.org> |
Archives