Slashback: OpenSSH, Bio, Timeliness

Welcome to Slashback, with updates (below) on a handful of recent Slashdot posts. Most importantly, a message regarding OpenSSH 3.3 could save your system from attack -- read it; you might need to pass the word on to your vendor, too.

Things that make you want to bring back thumbscrews. A few days ago, we mentioned the release of OpenSSH 3.3; compared to previous versions, the biggest change in 3.3 is increased emphasis on privilege separation. Today, Theo de Raadt sent word of an OpenSSH vulnerability being worked on by ISS and the OpenBSD team, details of which are expected to be published early next week.

In an announcement sent to bugtraq, he wrote: "However, I can say that when OpenSSH's sshd(8) is running with priv separation, the bug cannot be exploited.

OpenSSH 3.3p was released a few days ago, with various improvements but in particular, it significantly improves the Linux and Solaris support for priv sep. However, it is not yet perfect. Compression is disabled on some systems, and the many varieties of PAM are causing major headaches.

However, everyone should update to OpenSSH 3.3 immediately, and enable priv separation in their ssh daemons, by setting this in your /etc/ssh/sshd_config file:

UsePrivilegeSeparation yes

Depending on what your system is, privsep may break some ssh functionality. However, with privsep turned on, you are immune from at least one remote hole. Understand?

3.3 does not contain a fix for this upcoming bug.

If priv separation does not work on your operating system, you need to work with your vendor so that we get patches to make it work on your system. Our developers are swamped enough without trying to support the myriad of PAM and other issues which exist in various systems. You must call on your vendors to help us."

Theo emphasizes the role of vendor cooperation in making privilege separation work on the full range of systems on which OpenSSH runs. "If the vendors don't start pulling their part," he says in an email, "by the time the bug is posted their customers will be left unprotected. These vendors who do not do the right job and instead just 'sell sell sell' are starting to become annoying. On a lot of systems today, privsep does NOT work well at all. The vendors have not been helping!"

A patched version of OpenSSH could be released as soon as Friday, incorporating vendor patches received by this Thursday.

Read More on Stallman. Vamphyri writes: "Sam Williams, author of 'Free as in Freedom', biography of GNU/Linux founder Richard M. Stallman has gone live with the online free version 1.0 of FAIFzilla.org. The paper pulp version publishers O'Reilly & Associates agreed under the terms of the GNU Free Document License and have their own version up at their site. Williams' site allows for content and corrections to be submitted by readers. He hopes for contributions to be included in later editions of the O'Reilly bio. Also: CGI coders wanted for site enhancement, paragraph and line numbering, searches etc. Maybe a CVS Tree is in order? :)"

"Urpmi Norton" doesn't work for some reason. MrResistor writes "Upon logging in to my computer at work this morning, I was greeted by a virus update notice from McAfee SecurityCenter. The update for today includes W97M/Melissa@MM, and of course McAfees newly manuf^H^H^H^H^Hdiscovered threat, the W32/Perrun JPEG virus (which was also highlighted in yesterdays update). All of the updates in the last week or so have been rated Low or No Threat (except for Perrun, which is "Low On Watch". It seems that in addition to manufacturing new threats, they're also rehashing old threats to keep subscription renewals up. Perhaps it's time for Slashdot to add an Ethics topic?"

Christ...

[Tom7]

Again, OpenSSH has another remote exploit! It is climbing my list of insecure software on my machine, which is pretty scary. Can't someone write secure software??

Norton Blows

[Verizon+Guy]

I used to be a loyal Norton AV user for years, until they started with this "subscription" bullshit. I've been using McAfee ever since. $29 retail at Wal*Mart isn't that bad, and plus I get free updates every Wednesday sans subscription. It even runs an auto-update service so I don't even have to worry about updating... it takes care of itself! It even ships with other cool features like a monitor for Outlook (it checks for trends in messages... e.g., if I try to send a message with more than a couple of recipients in the To: field, HAWK halts the process and asks if I really want to send that e-mail. Annoying, yes, but at least I feel protected. That on top of Outlook's I-won't-let-anything-access-the-address-book feature (you can enable address book access for a minute or 5 at a time, if you wish, for things like Palm sync to access the addr book). What I deal. Peter Norton is a sellout. If I had a copy of Norton AV today, I'd wipe my ass with the CD, no matter how painful that may be!

On another note... First the Apache hole, now this OpenSSH exploit? Looks like some folks are joining the ranks of Windows server users ;)

Re:TdR

[Theo+DeRaadt]

Yeah, those security exploits sure are craaaazy! I should be shipped to the loony bin!

Re:TdR

[Inthewire]

Do your nipples get sore after clamping and stretching?

Re:OpenBSD remote hole?

[Wakko+Warner]

Yeah, it would be ridiculous for a UNIX box to allow people to log into it.

OpenBSD can eat a fat dick.

- A.P.