Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Vulnerabilities in Portable OpenSSH

Posted by michael on from the will-get-it-right-eventually dept.

An anonymous reader writes "The OpenSSH team has uncovered multiple exploitable vulnerabilities in the days-old portable release of OpenSSH. That's right folks: time to patch *again*. 3.7.1p2 is now available. Instructions and mirror list here. Please note that this vulnerability only affects *portable* OpenSSH--so if you are running OpenBSD, you're safe. This vulnerability apparently has to do with PAM, so you can use the 'UsePam no' option in your config file. Info on the advisory here and here."

7 of 324 comments (clear)

  1. Non-standard configuration by grub · · Score: 5, Informative


    From the article: At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled)

    Priviledge Separation saves the day again. I think this is a testament to the forward thinking of the OpenBSD and OpenSSH people: they know that human error introduces potentially exploitable bugs, hence the work that went into PrivSep to minimize the risk.

    "The lengths some people will goto to try and damage Theo's pride" Most moronic submitter comment ever.

    --
    Trolling is a art,
  2. PAM is not in by default by Anonymous Coward · · Score: 4, Informative

    Before we all panic, note that PAM is not in the default build.

    It's also not in slackware builds (thanks Patrick).

  3. Re:I don't understand by Compenguin · · Score: 4, Informative

    From the portable openssh website:
    "Normal OpenSSH development produces a very small, secure, and easy to maintain version for the OpenBSD project. The OpenSSH Portability Team takes that pure version and adds portability code so that OpenSSH can run on many other operating systems (Unfortunately, in particular since OpenSSH does authentication, it runs into a *lot* of differences between Unix operating systems)."

  4. OpenSSH in RedHat 9 and others by avij · · Score: 5, Informative

    The RH-supplied latest OpenSSH (3.5p1-11) doesn't seem to accept the "UsePam no" directive that was suggested as a workaround, so if you go ahead and add that line to your /etc/ssh/sshd_config and say "service sshd restart", SSH will complain about an invalid configuration option and refuse to start. Just for your information..

    --

    Follow your Euro bills at EBT
    1. Re:OpenSSH in RedHat 9 and others by virtual_mps · · Score: 4, Informative

      More importantly, the problem only affects OpenSSH 3.7p and 3.7.1p, so adding "UsePam no" to a 3.5p installation is unnecessary.

  5. RedHat boxes are safe by menscher · · Score: 4, Informative

    Just to alleviate some of the panic, RedHat boxes are safe.

  6. Re:Is the default config file safe? by Ratcrow · · Score: 4, Informative

    No!

    From the top of sshd_config:

    "The strategy used for options in the default sshd_config shipped with OpenSSH is to specify options with their default value where possible, but leave them commented. Uncommented options change a default value."

    In other words, simply uncommenting the line changes nothing -- the default is shown commented. For the SRPMS of OpenSSH-3.7p1, UsePAM is set to Yes.