North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SSHD
Jeremy T. Bouse([email protected])@2002.06.26 13:40:28 +0000: > Just be sure you read the full advisory and look deep into it > and your own configuration. Recent news has come to light which appears > that it is most *BSD OS flavors and those using BSD_AUTH and SKEY. Most > often these are not enabled by default on non-BSD OSes. according to several discussions that took part in the last 48 hours, the flaw fixed in 3.4 might also impact on systems using PAM for authenticating ssh logins; it appears to me that the involved group of researchers did not test operating systems other than the free *BSDs. CA-2002-18 has some more vendor specific information: http://www.cert.org/advisories/CA-2002-18.html sure, it's a critical bug, but one should not oversee the apache chunk handling vulnerability published in CA-2002-17 as it has been integrated into skr1ptk1dd13's "tools" already, apparently. depending on your site's policy you probably have tight restrictions on ssh access, but http is probably allowed from 0/0 so it might be even more critical. regards, /k -- > [X] <-- nail here for new monitor WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 10x Attachment:
pgp00029.pgp
|