[Fwd: LSH: Buffer overrun and remote root compromise in lshd]

Oliver Eikemeier eikemeier at fillmore-labs.com
Sat Sep 20 11:18:55 PDT 2003

Hi Ports,

port security/lsh 1.5.2 has a remote root compromise,
it seems that even the client part is affected.
Either someone upgrades it to 1.5.3 or we mark it as
broken for 4.9.

The announcement  is at:


-------- Original Message --------
Subject: LSH: Buffer overrun and remote root compromise in lshd
Date: 20 Sep 2003 10:58:55 +0200
From: nisse at lysator.liu.se (Niels Möller)

A security hole of the worst kind have been found in lshd. All
versions up to 1.4.2 and all versions in the 1.5.x series up to 1.5.2
are affected.

The primary threat is remote root compromise of the lshd server. Some
exploits programs have been published. It is also likely that a
malicious ssh server can exploit the lsh client.

All users of lsh servers and clients are strongly advised to upgrade
to 1.4.3 (stable) or 1.5.3 (development version, with the usual
caveats), and to immediately disable lshd service until the program
is upgraded.

For further details and instructions, see the [...] announcement of
the new versions. [...]


More information about the freebsd-ports mailing list