1 |
http://bugs.gentoo.org/show_bug.cgi?id=29417 |
2 |
-----Forwarded Message----- |
3 |
> From: Damien Miller <djm@×××××××××××.org> |
4 |
> To: openssh-unix-announce@×××××××.org |
5 |
> Cc: announce@×××××××.org, bugtraq@×××××××××××××.com, lwn@×××.net, misc@×××××××.org, news@×××××××××××××.com, openssh-unix-dev@×××××××.org, pab@××××××××.de, secureshell@×××××××××××××.com, technik@×××××.de, timothy@××××××.org, webmaster@××××××.org |
6 |
> Subject: Multiple PAM vulnerabilities in portable OpenSSH |
7 |
> Date: Tue, 23 Sep 2003 06:40:25 -0600 |
8 |
> |
9 |
> Subject: Portable OpenSSH Security Advisory: sshpam.adv |
10 |
> |
11 |
> This document can be found at: http://www.openssh.com/txt/sshpam.adv |
12 |
> |
13 |
> 1. Versions affected: |
14 |
> |
15 |
> Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple |
16 |
> vulnerabilities in the new PAM code. At least one of these bugs |
17 |
> is remotely exploitable (under a non-standard configuration, |
18 |
> with privsep disabled). |
19 |
> |
20 |
> The OpenBSD releases of OpenSSH do not contain this code and |
21 |
> are not vulnerable. Older versions of portable OpenSSH are not |
22 |
> vulnerable. |
23 |
> |
24 |
> 2. Solution: |
25 |
> |
26 |
> Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM |
27 |
> support ("UsePam no" in sshd_config). |
28 |
> |
29 |
> Due to complexity, inconsistencies in the specification and |
30 |
> differences between vendors' PAM implementations we recommend |
31 |
> that PAM be left disabled in sshd_config unless there is a need |
32 |
> for its use. Sites only using public key or simple password |
33 |
> authentication usually have little need to enable PAM support. |
34 |
-- |
35 |
Christian Gut <cycloon@×××××××.org> |