The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Revised OpenSSH Security Advisory (adv.token)


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Fri, 26 Apr 2002 13:59:49 +0200
From: Markus Friedl <markus@openbsd.org.>
To: [email protected]
Subject: Revised OpenSSH Security Advisory (adv.token)

This is the 2nd revision of the Advisory.

Buffer overflow in OpenSSH's sshd if AFS has been configured on the
system or if KerberosTgtPassing or AFSTokenPassing has been enabled
in the sshd_config file.  Ticket and token passing is not enabled
by default.

1. Systems affected:

        All Versions of OpenSSH with AFS/Kerberos token passing
        compiled in and enabled (either in the system or in
        sshd_config) contain a buffer overflow.

        Token passing is disabled by default and only available in
        protocol version 1.


2. Impact:

        Remote users can get privileged access for OpenSSH < 2.9.9

        Local users can get privileged access for OpenSSH < 3.2.1

        No privileged access is possible for OpenSSH with
        UsePrivilegeSeparation enabled.


3. Solution:

        Apply the matching patch:

        ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.1-adv.token.patch
        ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.1p1-adv.token.patch
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/024_sshafs.patch
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/019_sshafs.patch
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/001_sshafs.patch


4. Credits:

        Marcell Fodor <m.fodor@mail.datanet.hu.>


EOF


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру