[luau] openssh vulnerability

Warren Togami warren at togami.com
Tue Sep 23 09:29:00 PDT 2003


On Tue, 2003-09-23 at 08:25, Vince Hoang wrote:
> On Thu, Sep 18, 2003 at 06:29:32AM -1000, Deven Phillips wrote:
> > Thanks to quick action from our team at HCC, I am proud to say
> > that we had all of our systems patched as of 4PM yesterday
> > afternoon. Not bad for having to upgrade, patch, and test
> > 30+ productions machines without any serious interuptions to
> > service.
> 
> Can you be done by 3pm today? :/
> 
> http://www.openssh.com/txt/sshpam.adv
> 
>         Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple 
>         vulnerabilities in the new PAM code. At least one of these bugs 
>         is remotely exploitable (under a non-standard configuration, 
>         with privsep disabled).
> 
>         The OpenBSD releases of OpenSSH do not contain this code and 
>         are not vulnerable. Older versions of portable OpenSSH are not 
>         vulnerable.

I have heard some preliminary news that the openssh errata packages from
Red Hat's 9/17/03 release are NOT vulnerable to this problem.  My
sources have indicated that this is only an issue with 3.7x and not the
security fixes backported to the older version of openssh shipped in Red
Hat Linux.

If I hear more I will post again.

Warren




More information about the LUAU mailing list