Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Vulnerabilities in Portable OpenSSH

Posted by michael on from the will-get-it-right-eventually dept.

An anonymous reader writes "The OpenSSH team has uncovered multiple exploitable vulnerabilities in the days-old portable release of OpenSSH. That's right folks: time to patch *again*. 3.7.1p2 is now available. Instructions and mirror list here. Please note that this vulnerability only affects *portable* OpenSSH--so if you are running OpenBSD, you're safe. This vulnerability apparently has to do with PAM, so you can use the 'UsePam no' option in your config file. Info on the advisory here and here."

7 of 324 comments (clear)

  1. Non-standard configuration by grub · · Score: 5, Informative


    From the article: At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled)

    Priviledge Separation saves the day again. I think this is a testament to the forward thinking of the OpenBSD and OpenSSH people: they know that human error introduces potentially exploitable bugs, hence the work that went into PrivSep to minimize the risk.

    "The lengths some people will goto to try and damage Theo's pride" Most moronic submitter comment ever.

    --
    Trolling is a art,
    1. Re:Non-standard configuration by grub · · Score: 5, Insightful


      Having a small amount of the sshd code running as root with the 'sshd' user handling the rest helps make it harder for other exploits. I don't think anyone would suggest that PrivSep makes an exploit impossible, but it is another great layer on the security-onion.

      --
      Trolling is a art,
  2. OpenSSH in RedHat 9 and others by avij · · Score: 5, Informative

    The RH-supplied latest OpenSSH (3.5p1-11) doesn't seem to accept the "UsePam no" directive that was suggested as a workaround, so if you go ahead and add that line to your /etc/ssh/sshd_config and say "service sshd restart", SSH will complain about an invalid configuration option and refuse to start. Just for your information..

    --

    Follow your Euro bills at EBT
  3. Re:JEBUS by Kalzus · · Score: 5, Insightful

    Arguably, this announcement *is* the result of an increase in code vetting on the part of the portable OpenSSH team. Just a thought.

    --
    "The Devil does not know a lot because He's the Devil, He knows a lot because he's old." -- unknown
  4. Re:Time for a new spin on security practices? by ninewands · · Score: 5, Insightful
    OpenSSH... A Microsoft product, right? Oppss... Forgot, one can not criticize open source on the same standards we hold "M$"

    Well, yes, we should hold them both to the same standard ... so when Microsoft starts announcing it's own self-discovered vulnerabilities and releasing Day-Zero patches to fix them I will be just as critical of OpenSSH security as I am of Windows *cough*security*cough*.
    --
    utter rubbish
  5. "Patch *again*" == no big deal by psyconaut · · Score: 5, Insightful

    The poster seems to insinuate that patching again is a chore...security is, by very nature, a moving target. I'm *glad* they find vulnerabilities and post regular patches...proves to me, at least, that somebody is on-the-ball.

    Heck, just be thankful they don't belong to the Microsoft school of security and fixes ;-)

    -psy

  6. Re:Time for a new spin on security practices? by evought · · Score: 5, Insightful

    Also, notice that this is a problem which *may* be remotely exploitable in a *non-standard configuration*, when certain default security measures have been *disabled by the user*.
    This is not in the same league as "Oops, we left the RPC port open and rootable by default."

    The class of errors being fixed by OpenSSH is very different and the design takes security much more seriously.