Slashdot Mirror
Vulnerability In SSH1
matt666 writes "Bindview released an advisory yesterday warning us that "[a]n integer-overflow problem is present in common code of recent ssh daemons, deattack.c, which was developed by CORE SDI to protect against cryptographic attacks on SSH protocol. [...] This effectively allows an attacker to overwrite arbitrary portions of memory". Practically all common versions of SSH1 are affected, except OpenSSH 2.3.0." A whole slew of people have written in regarding this - from the folks at SmoothWall advising of an update, to a bunch of people just saying "Oh No!". My understanding is that a fix is already in the works.
ruben@ruben:~ > ssh -v -l `perl -e '{print According to the site this should trigger the bug but it doesn't
/etc/ssh_config
ruben@ruben:~ > ssh -v -l `perl -e '{print "A"x88000}'` localhost
SSH Version 1.2.30 [i686-unknown-linux], protocol version 1.5.
Standard version. Does not use RSAREF.
ruben: Reading configuration data
Hostname or username is longer than 255 characters.
ruben@ruben:~ >
Does this mean it's secure?
Peter Pan Syndrome be damned
You must be American - no sense of irony huh?
Once again we have proof that the OpenBSD folks have given us a solid and secure product.
Given that OpenSSH is used across a greater spectrum that OpenBSD, this should help the OpenBSD group gain even more support.
Never, ever use Linux for a firewall. Use OpenBSD!
Opps, thats not a good thing to say on slashdot, is it?
Stone tablets?
Luxury!
:)
It is in the CVS snapshots
SSH's own Win32 SFTP client is good.
.edu, I think you can use it for free.
http://www.ssh.com/products/ssh/
Based on your
Unfortunately I haven't seen one for Classic Mac yet. At least command line will be an option with OS X.
I just patched the OpenSSH 2.2.0pl1 RPMS that I've been using. For anyone using OpenSSH 2.1 or 2.2 (As long as you've already got OpenSSL 0.9.5a or later) you can grab the rpms (and the src rpm) from here.
Improvise, adapt, and overcome.
You use APOP.
Its been around for years, and most clients support it.
It encrypts the password with a hash then sends it to the server, from memory.
http://www.debian.org/security/2001/dsa-026
(You're getting the dsa-026.html file in the 2001/ directory.)
-Yenya
--
-Yenya
--
While Linux is larger than Emacs, at least Linux has the excuse that it has to be. --Linus
Yes he is.
Bosses that whine about spelling are usually morons. Bosses, that want results? hire guys like me.
Do not look at laser with remaining good eye.
We're off to patch our code
We're keeping Kiddies off
To save our web servers.
Our Sys. Admins.
Searching for obsure bugs
Heading off new expliots
Leaving Quake games behind
Who knows what bugs we'll find
We must be smart and brave
And always be sure to save
If we don't, in just one year
Our website will disappear
Fighting with Script Kiddies
Who won't stop with the "ph3r m3s"
Then we'll reboot, and when we're done
More Quake for everyone with our Sys Admins!
George Lee
Good to see bugs getting shaken out.
George Lee
I don't suppose other people coming to point #2 has anything to do with the state of affairs in #1?
You'll have to reverse the arguments of kill for that to work:
- kill(SIGALRM, getppid());
+ kill(getppid(), SIGALRM);
-- v --
For the record, both the ssh1 and OpenSSH ports have now been fixed. Personaly, I'm just upgrading my remaining 3.x machine to 4-STABLE since it's long over due.
-- Any statement of the form "X is the one, true Y" is FALSE.
Maybe it would be a good idea to ask Mr Vixie to create a 1 656243&mode=nested">closed mailing list</a>, to better prepare for ssh security holes.
OpenSSH pre 2.3.0 is also vulnerable, so don't be getting any false sense of security here.
-
sig sig sputnik
-
sig sig sputnik
I know. But this is a firewall ;> Use i know.. "why ssh on the firewall!" well there is.
---
-
ping -f 255.255.255.255 # if only
Its hard to write a single much less a speciallized app to go through every input type, every branch of execution. Its possible, but its VERY hard.
---
-
ping -f 255.255.255.255 # if only
Yep. That sounds like OpenBSD. They have closed many holes that nobody knows about. Not all of them, I'm sure, but if they find one, they try to close all similar holes. FreeBSD seems to be playing a good game of catch-up.
You may be a C bigot :) but SML implementations aren't so bad:
Check out the results of the ICFP contest - the ML-based programs were really, really fast. (And they also worked, unlike a lot of the C and Perl solutions!).
Of course, it's too bad I'm a C bigot too, or my code might be better... ;)
full path, yes, wildcards, no. I type wildcards into my scp lines (hell, even environment variables work) all the time, and haven't had any problems...
However, yes, for anything more than quick or automated file moves, stfp is a much better option.
Well, it will be lazy admins who suffer from this... In particular - this is in the article, should you ever decide to read it - the nature of the flaw prevents the buffer overflow from using certain instructions, which means that it's sufficiently hard to write an exploit for this that none are currently known. So the skript kiddiez are probably not going to get their heartz dezire this time.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Expanding a vast wasteland since 1996.
Huh? FreeBSD has been using OpenSSH 2.3.0 - a non vulnerable version - since December 5.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Expanding a vast wasteland since 1996.
Don't everyone panic and upgrade your ssh1 clients. This only affects the server end. If you run an ssh1 server, now you can start worrying.
--
Patrick Doyle
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
As I recall, about the only thing that was needed was to make sure OpenSSL was installed first. Keeping your favorite compiler options in CFLAGS and CXXFLAGS helps, too, as configure (if it's of the GNU variety) will usually pick up whatever is in those variables. It's always figured everything else out by itself. I've installed OpenSSH on SuSE 6.[34] and LFS systems, and have never had any problems with the build.
20 January 2017: the End of an Error.
Sure OpenSSH will protect you when you log into your *nix box. But what happens when you go to get your POP mail from your ISP? You send out your password in plaintext and then your mail is completely vulnerable.
What? You STILL use unencrypted POP mail? I think all the major mail servers support POP/IMAP over SSL. Get it now.
--
It has to work - rfc1925
And yet, I got modded up three times. Gotta love /.'s crack-smoking moderators =) It's just so easy!
Of course, I've already hit the cap (been there for months now), so whatever...
--
--
"I personal[ly] think Unix is "superior" because on LSD it tastes like Blue." -- jbarnett
That's interesting, because I just did ./configure, dl'd and installed the libs it needed (zlib and OpenSSL), ./configure again, make, make install, edit /usr/local/etc/sshd_config so it ran on port 123 (testing purposes, ssh is the only access I have to my Linux box, so...), start /usr/local/sbin/sshd, ssh in on port 123, verify that it works, change sshd_config, kill -HUP `cat /var/run/sshd.pid`, and it's all set.
The above is on a Slack install still running kernel 2.0.38 and some older version of glibc.
Important utilities like ssh should not be written in unsafe languages like C or C++ that allow buffer overflows. Otherwise, this class of problem is never going to go away, because developers aren't perfect. And, because people don't want to be bothered about updates, in present-day reality Unix is highly insecure.
To get OpenSSH 2.3.0p1 to compile under freebsd 3.4-RELEASE:
./configure --without-pam --with-tcp-wrappers --sysconfdir=/etc/ssh --with-md5-passwords --with-libs=-lcrypt
- first ensure openssl 0.9.6 is installed. If not, install it.
-
Took a little monkeying around, but it seems to work fine for me at the moment. Good luck.
What the fuck are people publishing a patch if there's not a fix?
Streamripper
this is my sig.
I've been pushing for outside access at my workplace for a while now. There are a lot of security concerns and I have been trying to advocate using ssh. Is this a viable solution? In other words, how safe is it? -Willy
For Win32 I like SecureFX 1.9
Tim Gaastra
Tim Gaastra
Build a better mousetrap and the world will immediately get their fingers caught in it.
dopp
-- If a god of love and life ever did exist, he's long since dead. Someone, something, rules in his place
Doesn't appear to have made it to the "portable" version yet.
I just installed 2.3.0p1, and it isn't there.
Temkin
Of course, there is still the problem that good old SMTP still goes unencrypted, but TLS-aware MTAs (TLS is the new name for SSL, basically) will encrypt the traffic between them! Recent versions of Sendmail are TLS-aware, there's Postfix-TLS, and experimental versions of Exim. Not sure about qmail.
As for POP and IMAP, I don't think anybody is talking about making encryption a standard part of them, but I could well be wrong.
I was always under the impression that if your traffic passes through any sort of localized network it can be sniffed, like an @Home subnet, University network, network at your job etc. Your theory would really only apply to to DSL or dialup and then only if the machine you were contacting was also connected directly to the internet with no sort of network attached to it.
"We obviously need a new moderation category: (-1, Woo-fucking-hoo)" --Mr. AC
I'm not too experienced with overflows, but how would the Openwall buffer overflow kernel patch by Solar Designer handle this, if at all?
--> 2.3.0 since 8 Nov
<http://www.FreeBSD.org/cgi/cvsweb.cgi/src/secu re/usr.bin/ssh/Makefile>
--> 2.3.0 since 12 Jan
Cheers,
--fred
1 reply beneath your current threshold.
I have no probs using wildcards (*.htm etc) for openssh 2.3 server or client.
Yup, I got it yesterday with my daily apt-get dist-upgrade. All hail Debian.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
WHAT? Your pop mail ISN'T encrypted with pgp/gpg? I have all the people I really care to talk to properly educated in how to use PGP. Even my wife, who found giving up AOL to be highly traumatic. Hell, I've got my filters set up to send anything that ISN'T signed or encrypted directly to the spam box.
What in the world does that have to do with sending your POP password in plain text to fetch your PGP encrypted email?
I've been using OpenSSH 2.3.0 for what seems like a long time... Maybe I'm the only one who goes on an "update bender" every couple of months to make sure I have recent versions of the stuff I use (and crypto related software is what I check most often). Hell, Debian and Helix Gnome could be updated by an AOLer. Again I call into question the quality of a sys admin who can go even a few weeks without updating important software, or at least checking out recent info.
From hell's heart I fstab at /dev/hdc
would a 747 filled with cd-rom's even be able to take off??
The only things open to the internet when using smoothwall is SSH (if enabled, disabled by default). That's it. Everything else is locked down with IPChains and tcp_wrappers. Smoothwall is secure. It was designed with security in mind.
This is a bold claim, but smoothwall is basically uncrackable out of the box. The only thing 'affecting' it now is the SSH problem. Hence, we've released a fix for it. The bugfix was out within hours of the bug being found. How many other FireWalls (commercial or free) can say that?
This is our first security related problem, and it's now patched.
The only way FTP/telnet can be accessed is from within the network smoothwall is protecting. Smoothwall is secure. End of story.
Jon Fautley, Smoothwall Developer and Listmaster
--
Jon Fautley, SmoothWall Developer - http://www.smoothwall.org/
Cut-and-paste the following text into a file deattack.c.patch.
+++ deattack.c.orig Wed May 12 12:19:25 1999
@@ -79,7 +79,7 @@
detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
{
static word16 *h = (word16 *) NULL;
- static word32 n = HASH_MINSIZE / HASH_ENTRYSIZE;
+ static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
register word32 i, j;
word32 l;
register unsigned char *c;
Get the source tar file, untar it with tar zxvf tarfile, change into the source directory, and patch
Scroogle
I posted a patch file
Scroogle
It's a very big problem, We wont detect attack, detect viruses, but when we create this detection system, we open a new holes in new code.
Because they don't implement it, you dumb rube.
One person figures it out and everyone benefits
All it takes is ONE person writing a script thats DOES use this exploit and the script kiddies will be unleashed. It does not matter that it is sufficiently hard to write, if someone writes it once, thats all it takes. Hard to write and hard to run a script are two different things
You can call this a troll if ya want, or you can take it as it was intended: a reminder that the /. community needs to do a bias check when it discusses vulnerabilities. (Or dont do a bias check, its entertaining, and hey /. is the place to be if you lean to open source!) *grin*
All too often on M$ related items the comments read like this "hahaha, if they had just disabled this, this wouldn't be a problem. They're just idiots!"
On Open Source issues they read like this "Well, this isn't REALLY a problem...if you simply turn off this, you are safe. Easy."
---"What did I say that sounded like 'Tell me about your day?'"---
No I am talking about truly sensitive information, nuclear secrets, military budget info and the like.
None of us would be stupid enough to store classified data on a PC attached to the internet, would we ?
I think this is a storm in a teacup, we should not waste time worrying about things that really have no relavence. We should be more concerned about things like the DMCA and the like.
What do others think ?
...for scp between Win and nix servers, I use WinSCP.
My next sig will be ready soon, but subscribers can beat the rush
that you should never, truly, trust the software you use.
Fundamentally flawed???? So what would you call Microsoft? The most broken into web server and it's not open sourced ?
Hopefully your ISP is smart and your email account is a virtual email account that has no actual machine access anyway.
What is pirate software? Software for inventory of stolen treasure?
And typically, no mention of this on the MS security site - when are those guys goung to catch up with the modern world?
**Vanuatu or bust**
Password sniffing is a big issue on university networks. I don't think you'll find more uncontrollable computers connected to a network in one place anywhere else. The problem is worsened because the high density of computers often results in the use of broadcast-style hubs to cut costs, especially when you are servicing a dormitory and don't care if the subnet gets bogged down. The result is that any yahoo could grab all the mail passwords for his entire floor without much difficulty. Secure services are essential in that sort of situation.
I hate having to know the full path to everything, or the inability for the remote server to process wildcards. These are inherent limitations of scp.
I.e. all except 2.3.0
http://www.debian.org/security/2001/dsa-027
If you are in Windows bring up a dos session and make sure you are in the same directory as where you downloaded the tar.gz file - please make sure you follow this instruction. Linux / BSD / GNU based systems users you all know what you\ure doing so we won\ut teach you to suck too many eggs in this instruction in fact we won\ut teach you to suck any eggs and congratulate you on running a free operating system that enhances your standing in the community.
Please open up a terminal window and type in the following:
ftp __.___.___.___ [substitute underscores for the ip address of your SmoothWall server]
When prompted for username type root
When prompted for password type the password you allocated for root
then follow the following instructions
bin [followed by return]
put smoothwall-openssh-2.3.0p1.tar.gz [followed by return]
Once this operation is complete type
quit [followed by return]
Funny, I thought that the one of the great advantages of using SSH (aside from the port forwarding) was that you'd never have to send your password in cleartext. Besides, who actually allows root to connect to their FTP server? The conventional wisdom has always been that root is to powerful to "just FTP".
Suck eggs, indeed.
/ \
\ / ASCII ribbon campaign for peace
x
/ \
Oh it's simple. you look at security advisories but you do not download every update that floats down. A good sysadmin does not apply patches/updates/other fodder just because they are there. The sysadmin applies them if they are needed.
I have 1 server running that has a 1.2 kernel on it. it hasn't been updated because it doesnt need to be.(and is in a remote location that takes days to reach) Only the foolish fix things that aren't broke.
So, as one of the best sysadmins my corperation has, I DONT update important software every few weeks.
P.S.- we still run NT 3.5 servers too for critical systems. Could an entire industry be foolish by not updating every few weeks? I think not.
Do not look at laser with remaining good eye.
Shouldn't Theo have caught this? or is he only concerned with OpenSSH?
Read past the headline:
So Theo (or someone else working on OpenSSH) DID catch it. Maybe they didn't know they caught it, or that it was exploitable, but they did fix it.
i was using the portable version, it's just that, by default, it likes you to use PAM for password authentication, which slackware doesn't. if you don't use PAM, it likes you to heve your passwords encrypted with crypt. mine aren't.
i had to use a few special configuration parameters (i think they were --enable-md5 --enable-shadow and --disable-pam, but i'm not sure. that's from memory.)
#define F(x) int main(){printf(#x,10,#x);}
F(#define F(x) int main(){printf(#x,10,#x);}%cF(%s))
Yeah, /usr/ports for freebsd 3 still uses openssh 2.2, but disabling protocol 1 is at least a quick fix while a more stable thing is done.
---
-
ping -f 255.255.255.255 # if only
Try http://www.debian.org/security/2001/dsa-027.
Actually, if the poster was serious, I doubt he was supporting VB, but rather something like SML/NJ. The proponents of this language insist that their programs can be made unhackable because they can be mathematically proven to be secure.
;->
Of course, I don't think this is the way to go - mostly because current SML implementations are damn slow, and I'm a C bigot.
--------------------------
There are a large number of ISPs which do not use switched networks, and also do not use AntiSniff. As a result, they have no protection against this. Seeing as you seem to believe that most ISPs prevent this, how do you believe they do that?
Furthermore, the belief that every router hop from your machine to the machine you're connected to is secure is fatally mistaken. Just because your ISP has effective security measures does not mean that everyone on the route has the same effective measures.
--
Right, better use Windows/Visual Basic instead, which assume the coder doesn't know what he is doing, and thus introduce security holes on his behalf...
It looks like Debian already has the updated version available.
More information available on the debian package at http://www.debian.org/security/2001/dsa-026/
First bind, then ssh.. what's next -- will somebody find a way to hack Hotmail?!
:)
Oh, wait..
----------
Never underestimate the bandwidth of a 747 filled with CD-ROMs.
lizrd got the first point, which is that someone coming in and fucking up your data, "sensitive" or not, is a serious pain, even if you have comprehensive backups.
The second point is that while you may not be a criminal, leaving your box open to something like this makes you criminally stupid. Some script kiddie may jump in and start setting up IRC servers and using your machine to help in some DDOS attacks. Try proving to your local authorities that just because the logs say the attacks came from YOUR IP that it wasn't YOUR fault and that, please officer, can I have my computer back now?
I thought we had already discussed that we should all move away from SSH1 and use SSH2... As advised by SecurityPortal, I upgraded my server and clients to SSH2. I for one am feeling safe, now, at least for the few next weelks/months...
As for OpenSSH, I didn't know Theo worked on it, But I did know OpenSSH and OpenBSD we're related. which explains what I said, also you we're the second person to call me on that, it wasn't necessary, but it reinforced your augments that I am an idiot. You're going out on a limb calling me on things like capitalization, and obviously on purpose misspellings.
recently I've been losing patience with slashdot, and posting garbage. if you look at my history you'll notice many of my posts have been modded down (some way down) after they we're modded up. As you can also see i have the +2 bonus, and am, from time to time a modertor, which means i must have gotten karma at some point.
I'm sick of the slashdot way of karma whoring, so I'm also getting lazy, impatient and bored.. I've been posting stuff just to see how it gets received, not because I believe in what I say, or even care about what I'm talking about.
Am at a point where I don't care about my karma, I don't care if other people don't like what I say, I think I'm turning into what slashdot concedes a troll, and if so, so be it.
-Jon
Streamripper
this is my sig.
So I said "huh, so except for a man in the middle attack, or brute force, there's really no attacks", "yup". then i said "So all those exploits on ssh are just coding errors right?", "yup".
so what is this like 4th r00t expliot from ssh? You would really think that people making an app to improve security would be more careful about this. Or maybe they did, and it's one of those new sprintf one's, if I remember from defcon (boy that sucked) there was a common exploit via sprintf's that wasn't widely known until recently... , something to do with %n I think..
Shouldn't Theo have caught this? or is he only concerned with OpenSSH?
-Jon
Streamripper
this is my sig.
Personally, I'd like to see a move to Modula 3 or Ada for trusted modules, but so few people know those languages now. Hard-compiled Java, maybe.
Newer versions of GCC can generate diagnostics as they compile and optimize.
gcc -Wall -W -O -c foo.c will generate lots of helpful diagnostics on stderr.
Like Tetris? Like drugs? Ever try combining them?
Will I retire or break 10K?
WHAT? Your pop mail ISN'T encrypted with pgp/gpg? I have all the people I really care to talk to properly educated in how to use PGP. Even my wife, who found giving up AOL to be highly traumatic. Hell, I've got my filters set up to send anything that ISN'T signed or encrypted directly to the spam box.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
The worst thing that can happen if your messages are encrypted is that the attacker can delete them from your mailbox. This amounts to a pretty lame DoS attack - annoying but not catastrophic. If it's a message that absoloutely MUST go through, you shouldn't be relying on email in the first place. It would be a pretty stupid attack anyway, because the target would know pretty quickly that their comm channel has been compromised.
An attacker could find out the names and emails of the people you are conversing with, but they could get that information anyway, by sniffing it out of the headers of the incoming SMTP messages (for example). [Traffic analysis, anyone?] If you need to conceal WHO you are talking to, you need to use some sort of dead drop arrangement, like posting an image with a steganographically-imbedded message to usenet or a free webpage.
Whining about the insecurity of POP3 (and SMTP) isn't a productive use of your time. Virtually every ISP in the world uses POP3/SMTP for email. It's insecure. Deal with it. If security matters, host your own Secure IMAP server and encrypt all your traffic. Your ISP isn't going to be changing it's email infrastructure any time soon. (Talk about a major tech support nightmare!) Sure, it would be nice if email had end-to-end encryption that is completely transparent to the end user, but that's not going to happen around any time soon. You've got to make do with the tools you have to work with.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Ok.. will someone explain to me how a #2 post can be "Redundant" when the first post was just a first post ?
Geez moderators, browsing at "+2 newest first" isn't exactly bright.
-Billco, Fnarg.com
Go to the ports directory, you say. That doesn't compile either. the SSH2 port doesn't compile either! Neither will OpenSSH (it warns about remote root exploits, really helpful), and the latest maintained official ssh1 version is 1.2.27.
I expect to find a lot of rootable old FreeBSD boxes out there.
- A.P.
--
* CmdrTaco is an idiot.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Not true. There were two seperate vulnerabilites announced yesterday. The first just involves changing the static word16 to a static word32, but the second attack involved connecting many times to determine a session key. With the session key (and a sniffed session), one could decrypt the entire ssh session. Here's the patch for this on (for ssh-1.2.31 and below):
--- rsaglue.c 1999/12/10 23:27:25 1.8
+++ rsaglue.c 2001/02/03 09:42:05
@@ -264,7 +268,15 @@
mpz_clear(&aux);
if (value[0] != 0 || value[1] != 2)
- fatal("Bad result from rsa_private_decrypt");
+ {
+ static time_t last_kill_time = 0;
+ if (time(NULL) - last_kill_time > 60 && getppid() != 1)
+ {
+ last_kill_time = time(NULL);
+ kill(SIGALRM, getppid());
+ }
+ fatal("Bad result from rsa_private_decrypt");
+ }
for (i = 2; i len && value[i]; i++)
;
and here's the previously discussed patch:
--- ssh-1.2.31/deattack.c-old Wed Feb 7 19:45:16 2001
+++ ssh-1.2.31/deattack.c Wed Feb 7 19:54:11 2001
@@ -79,7 +79,7 @@
detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
{
static word16 *h = (word16 *) NULL;
- static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
+ static word32 n = HASH_MINSIZE / HASH_ENTRYSIZE;
register word32 i, j;
word32 l;
register unsigned char *c;
Also, it should be pointed out that openssh-2.3.0 isn't supported on openBSD =2.6, so if you run an older openBSD, you either have to upgrade or switch to ssh.com's ssh....
--BlueLines "The cost of living hasn't affected it's popularity." -anonymous
1) This affects all common implementations, including the commercial one from SSH.com
2) This doesn't affect OpenSSH 2.3.0, which is Open Source!
Suck it.
--
--
"I personal[ly] think Unix is "superior" because on LSD it tastes like Blue." -- jbarnett
Mike Roberto
- GAIM: MicroBerto
Berto
Indeed you're right.
I find it odd that commercial companies, like our F-Secure, have been to tight to buy a copy of ProLint and run it, or have willfully ignored the warning messages that it would produce.
The 10 commandments of C programming still hold true...
FatPhil
-- Real Men Don't Use Porn. -- Morality In Media Billboards
Also FatPhil on SoylentNews, id 863
It's a race against the clock... All the Skript Kiddies who read /. settle in against all the sys admins... ready, set, go! Which one's easier to find, the patch, ot the 'Sploit? Hurry, hurry!!!
When encryption is outlawed, ?o'AZ-,++o+i++##4AoA+-/-C++bI+/.+~
-Brian
You need to change a single variable declaration in one function and re-make. This is difficult to abuse and simple to correct.
Refer to the article for the patch/change.
-Rusty
The Master (Angelo Rossitto) in Mad Max Beyond Thunderdome, "Not shit, energy!"
The "standard" tarball linked under "getting source" on the OpenSSH page is for OpenBSD and does not have a configure script, just a installer.
If you download OpenSSH for a non OpenBSD box, make sure you pick the portable version. (under operating systems click on your operating system, or go to: http://www.openssh.com/portable.html).
-Matt
Script kiddie this, script kiddie that. I'm sick of it. I pay my taxes, I'm balding, I'm in serious debt to MasterCard... I'm a script adult.
there were arguments to switch to openssh before, but never one that was this practical in nature.
the only downside of openssh that i've seen was that it was a pain to figure out which compile-time options i needed. make sure you know exactly how your passwords are stored on your box. once i had that figured out, i liked it better than i ever liked the commercial SSH.
#define F(x) int main(){printf(#x,10,#x);}
F(#define F(x) int main(){printf(#x,10,#x);}%cF(%s))
Je t'aime Stéphanie
Debian 2.2 OpenSSH package has allready been fixed. As usual, they have backported the fix to the version of ssh in stable (v1.2.3).
/etc/apt/sources.list, then apt-get update && apt-get upgrade.
/usr/share/doc/ssh/changelog.Debian.gz
Make sure you have the Debian security sources in
deb http://security.debian.org/ stable/updates main contrib non-free deb-src http://security.debian.org/ stable/updates main contrib non-free
openssh (1:1.2.3-9.2) stable; urgency=high
* Non-maintainer upload by Security Team
* Added backported fix for a buffer overflow (thanks to Piotr Roszatycki)
* Added modified build dependencies from unstable for convenience
* Added patch that fixes an rsa key exchange problem made public by CORE SDI.
-- Martin Schulze Thu, 8 Feb 2001 22:15:04 +0100
I'm going to go back in my box and will think within the limits of my box: MS Sucks Linux Good I read too much Slashdot.