OpenSSH-portable <= 3.6.1p1 bug?
Peter C. Lai
sirmoo at cowbert.2y.net
Tue May 13 12:05:21 PDT 2003
I think this explains it pretty well: (it's under section 3. of the advisory
you posted).
<blockquote>
NOTE. FreeBSD uses both a different PAM implementation and a different PAM
support in OpenSSH: it doesn't seem to be vulnerable to this particular timing
leak issue.
All OpenSSH-portable releases <= OpenSSH_3.6.1p1 compiled with PAM support
enabled (./configure --with-pam) are vulnerable to this information leak. The
PAMAuthenticationViaKbdInt directive doesn't need to be enabled in sshd_config.
</blockquote>
Howevever, it lists MACOSX as "unconfirmed". I thought MACOSX used
the FreeBSD ssh implementation.
On Mon, May 12, 2003 at 11:31:03PM +0200, Omar Lopez wrote:
> Hi:
> I Read these security advisory.
> http://lab.mediaservice.net/advisory/2003-01-openssh.txt
> Is my FreeBSD 5.0 afected? What other versions are afected?
>
> Thanks.
>
--
Peter C. Lai
University of Connecticut
Dept. of Molecular and Cell Biology
Yale University School of Medicine
SenseLab | Research Assistant
http://cowbert.2y.net/
More information about the freebsd-security
mailing list