OpenSSH: multiple vulnerabilities in the new PAM code
Jacques A. Vidrine
nectar at FreeBSD.org
Wed Sep 24 08:32:07 PDT 2003
On Wed, Sep 24, 2003 at 09:27:17AM -0500, D J Hawkey Jr wrote:
> On Sep 24, at 09:20 AM, Jacques A. Vidrine wrote:
> >
> > On Wed, Sep 24, 2003 at 11:16:03AM +0200, Sheldon Hearn wrote:
> > > On (2003/09/23 16:53), Haesu wrote:
> > >
> > > > Oh jee, here we go again. Hey, at least patched 3.5p1 on FreeBSD
> > > > 4.8/4.9 are not effected :)
> > >
> > > Since -CURRENT's using a modified OpenSSH_3.6.1p1, I don't think this
> > > issue affects FreeBSD at all.
> >
> > Unfortunately, it _does_ affect us. The PAM code in OpenSSH 3.7x was
> > taken from FreeBSD's PAM code. des@ is working the issue now.
>
> But just "portable", right?
No, not just OpenSSH-portable.
> Or are any "core" OpenSSHes across various
> FreeBSD releases also vulnerable?
I'm only talking about the base system OpenSSH above (which is based
on OpenSSH-portable), but both `openssh' and `openssh-portable' in the
Ports Collection are likely affected, as they contain the same code
(brought in by the port maintainer).
Cheers,
--
Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal
nectar at celabo.org . jvidrine at verio.net . nectar at freebsd.org . nectar at kth.se
More information about the freebsd-security
mailing list