Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: OpenSSH security bug
« previous next »
Pages: [1]   Go Down

OpenSSH security bug

  • 1 Replies
  • 370 Views

Alex Crouzen

OpenSSH security bug
« on: March 08, 2002, 12:06:08 PM »
While strolling through Slashdot today, I saw a warning for a possible exploit (local now, but possibly remote too) in OpenSSH, versions 2.0 up to 3.0.2.

Is this worth another security update, or is OpenSSH easily upgraded with an RPM? A 'simple' patch is given, but that means rebuilding the source, which on a stock server isn't possible.

Alex.
Logged

Rich Lafferty

Re: OpenSSH security bug
« Reply #1 on: March 08, 2002, 09:57:32 PM »
The problem code is only encountered after channels are established, and
channels are never established prior to authentication, so the bug can
only be exploited by authenticated users. Even then, it's an overflow
on the heap, not the stack, so it would be difficult to exploit at all,
and extremely difficult to exploit with an outcome other than "user's
ssh session terminates".

Your best strategy on this bug for now is to ensure that the users that
have access to your server are trustworthy, or disable SSH.

Cheers,

--Rich
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: OpenSSH security bug