[MLB-WIRELESS] Open SSH packages Tojaned

Alternate derf at optushome.com.au
Mon Oct 14 23:05:39 EST 2002


I normally don't say much on this list, but I think a few of you are
using SSH, so I thought it might be of some interest.

http://www.openssh.com/txt/trojan.adv

 OpenSSH 3.4 released June 26, 2002.
Contains support for SSH1 and SSH2 protocols.

A trojan was discovered in the OpenSSH ftp distribution on August 1st.
Anyone who upgraded between July 30 and then is encouraged to read the
following advisory to learn how their system may have been compromised.

At least one major security vulnerability exists in many deployed
OpenSSH versions (2.3.1 to 3.3). Please see the ISS advisory, or our own
OpenSSH advisory on this topic where simple patches are provided for the
pre-authentication problem. Systems running with UsePrivilegeSeparation
yes are not vulnerable due to the jailed nature. As well, most systems
configured with both ChallengeResponseAuthentication no and
PAMAuthenticationViaKbdInt no are not affected. However some OpenSSH
versions modified from the original may still be affected even with the
later two options, so we urge an upgrade or patch.

The 3.4 release contains many other fixes done over a week long audit
started when this issue came to light. We believe that some of those
fixes are likely to be important security fixes. Therefore, we urge an
upgrade to 3.4. 


 - Frederik Grunta



To unsubscribe: send mail to majordomo at wireless.org.au
with "unsubscribe melbwireless" in the body of the message



More information about the Melbwireless mailing list