Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#179363 - 16/09/2003 11:42 OpenSSH security hole
tman
carpal tunnel

Registered: 24/12/2001
Posts: 5528
If anybody uses OpenSSH then please go and read http://www.openssh.com/txt/buffer.adv
There's been a security hole discovered and you need to either patch the existing code or upgrade to 3.7

Top
#179364 - 16/09/2003 11:47 Re: OpenSSH security hole [Re: tman]
ricin
veteran

Registered: 19/06/2000
Posts: 1495
Loc: US: CA
HAH. I was just about to post something about that.
_________________________
Donato
MkII/080000565
MkIIa/010101253
ricin.us

Top
#179365 - 16/09/2003 12:31 Re: OpenSSH security hole [Re: ricin]
ricin
veteran

Registered: 19/06/2000
Posts: 1495
Loc: US: CA
A lot of the mirrors don't have the latest 3.6 CVS snapshot or 3.7. So here's a few mirrors:
http://www.splaq.com/ssh/
http://www.maxinux.com/SSH/
_________________________
Donato
MkII/080000565
MkIIa/010101253
ricin.us

Top
#179366 - 16/09/2003 17:07 Re: OpenSSH security hole [Re: ricin]
tman
carpal tunnel

Registered: 24/12/2001
Posts: 5528
heh. I was going to post this earlier but I didn't have a proper write up for it.

The OpenSSH hole is annoying as hell. It means that everybody has to suddenly go out and patch/upgrade untold numbers of systems as normally the SSH port would be open.

If you've not got enough time then firewalling the SSH port and only allowing authorised IP addresses (static only though!) to connect should mitigate some of the risk but it's best to upgrade still.

Top
#179367 - 16/09/2003 17:15 Re: OpenSSH security hole [Re: tman]
ricin
veteran

Registered: 19/06/2000
Posts: 1495
Loc: US: CA
heh. I was going to post this earlier but I didn't have a proper write up for it.

Ditto. I didn't have the files up on the mirrors yet either.


The OpenSSH hole is annoying as hell. It means that everybody has to suddenly go out and patch/upgrade untold numbers of systems as normally the SSH port would be open.
If you've not got enough time then firewalling the SSH port and only allowing authorised IP addresses (static only though!) to connect should mitigate some of the risk but it's best to upgrade still.

Yep, big pain in the butt. Every one of my machines has SSH on it, eesh. So far I've got all but three of them patched/upgraded.
_________________________
Donato
MkII/080000565
MkIIa/010101253
ricin.us

Top
#179368 - 17/09/2003 07:50 Re: OpenSSH security hole [Re: ricin]
tman
carpal tunnel

Registered: 24/12/2001
Posts: 5528
Umm yeah... Even more of a pain... 3.7.1 is out and it fixes more bugs

Top
#179369 - 17/09/2003 10:17 Re: OpenSSH security hole [Re: tman]
ricin
veteran

Registered: 19/06/2000
Posts: 1495
Loc: US: CA
Grrr. I'm all for keeping up to date, but sometimes it's just really annoying.
_________________________
Donato
MkII/080000565
MkIIa/010101253
ricin.us

Top
#179370 - 23/09/2003 14:29 Re: OpenSSH security hole [Re: ricin]
tman
carpal tunnel

Registered: 24/12/2001
Posts: 5528
You're going to love this... 3.7.1p2 is out. There is a PAM bug in the portable version. The OpenBSD version is apparently fine.

Top
#179371 - 23/09/2003 14:34 Re: OpenSSH security hole [Re: tman]
ricin
veteran

Registered: 19/06/2000
Posts: 1495
Loc: US: CA
Yeah. Thankfully I don't use PAM. Anyway, my mirror is up to date (the maxinux.com one isn't mine).
_________________________
Donato
MkII/080000565
MkIIa/010101253
ricin.us

Top