[Fwd: LSH: Buffer overrun and remote root compromise in lshd]
eikemeier at fillmore-labs.com
Sat Sep 20 11:18:55 PDT 2003
port security/lsh 1.5.2 has a remote root compromise,
it seems that even the client part is affected.
Either someone upgrades it to 1.5.3 or we mark it as
broken for 4.9.
The announcement is at:
-------- Original Message --------
Subject: LSH: Buffer overrun and remote root compromise in lshd
Date: 20 Sep 2003 10:58:55 +0200
From: nisse at lysator.liu.se (Niels Möller)
A security hole of the worst kind have been found in lshd. All
versions up to 1.4.2 and all versions in the 1.5.x series up to 1.5.2
The primary threat is remote root compromise of the lshd server. Some
exploits programs have been published. It is also likely that a
malicious ssh server can exploit the lsh client.
All users of lsh servers and clients are strongly advised to upgrade
to 1.4.3 (stable) or 1.5.3 (development version, with the usual
caveats), and to immediately disable lshd service until the program
For further details and instructions, see the [...] announcement of
the new versions. [...]
More information about the freebsd-ports