Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Vulnerabilities in Portable OpenSSH

Posted by michael on from the will-get-it-right-eventually dept.

An anonymous reader writes "The OpenSSH team has uncovered multiple exploitable vulnerabilities in the days-old portable release of OpenSSH. That's right folks: time to patch *again*. 3.7.1p2 is now available. Instructions and mirror list here. Please note that this vulnerability only affects *portable* OpenSSH--so if you are running OpenBSD, you're safe. This vulnerability apparently has to do with PAM, so you can use the 'UsePam no' option in your config file. Info on the advisory here and here."

3 of 324 comments (clear)

  1. The Need for Open Source Watchdogs by TheCRE · · Score: 3, Interesting

    In light of the recent CERT/CC advisories regarding security vulnerabilities in the Sendmail and OpenSSH programs (even before the problems with new release of portable Open SSH) the Center for Regulatory Effectiveness' WatchDog Watch discussed the need for open source watchdogs. Please see, www.thecre.com/wdw/20030922_open_source.html Winston Security Director, WatchDog Watch

  2. Not so fast! by MarcQuadra · · Score: 3, Interesting

    Not so fast!

    The LAST vulnerabilities were for 3.6 and 3.7 as well, but 3.4 COULD be vulnerable as it's now 'off the beaten path' and these vulnerabilities seem to have been discovered in a code audit triggered by the recent attention given to OpenSSH. Apple had to patch their 3.4 version, and I'd expect another minor software update package from Apple in the next few days to address this.

    Anybody out there know if it's easy to build current versions (3.7.1p2, etc.) of OpenSSH on OS X with the developer tools installed, or is there some very compelling reason Apple is sticking to 3.4 and just adding to it?

    --
    "Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
  3. Hmm... by Dr+Rick · · Score: 3, Interesting

    Doesn't it seem strange that the finding of multiple bugs in the same piece of open source software in a short period of time is stated as a strength of open source while the same thing in Microsoft software is stated as a weakness... Yes, in the open source case they were found by code inspection and in the case of Microsoft they were found by exploit, but a patch a day is still a patch a day. It's not always a good idea to rush patches out as soon as a potential hole is found...

    --

    Dr. Rick
    - "It's such a fine line between clever and stupid" (Nigel Tufnel)
    - Zort! (Pinky)