OpenSSH Vulnerability
Results 1 to 4 of 4

Thread: OpenSSH Vulnerability

  1. #1
    Senior Member
    Join Date
    Aug 2001
    Posts
    410

    Exclamation OpenSSH Vulnerability

    The text below is from - http://www.pine.nl/advisories/pine-cert-20020301.txt

    Pine Internet Security Advisory
    - -----------------------------------------------------------------------------
    Advisory ID : PINE-CERT-20020301
    Authors : Joost Pol <joost@pine.nl>
    Issue date : 2002-03-07
    Application : OpenSSH
    Version(s) : All versions between 2.0 and 3.0.2
    Platforms : multiple
    Vendor informed : 20020304
    Availability : http://www.pine.nl/advisories/pine-cert-20020301.txt
    - -----------------------------------------------------------------------------

    Synopsis

    A bug exists in the channel code of OpenSSH versions 2.0 - 3.0.2

    Users with an existing user account can abuse this bug to
    gain root privileges. Exploitability without an existing
    user account has not been proven but is not considered
    impossible. A malicious ssh server could also use this bug
    to exploit a connecting vulnerable client.

    Impact

    HIGH: Existing users will gain root privileges.

    Description

    Simple off by one error. Patch included.

    Solution

    The OpenSSH project will shortly release version 3.1.

    Upgrading to this version is highly recommended.

    This version will be made available at http://www.openssh.com

    The FreeBSD port of OpenSSH has been updated to reflect the
    patches as supplied in this document.

    OpenSSH CVS has been updated, see

    http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ \
    channels.c.diff?r1=1.170&r2=1.171

    Or apply the attached patch as provided by PINE Internet:

    http://www.pine.nl/advisories/pine-cert-20020301.patch

    With that being said, you can download OpenSSH 3.1here the security hole is fixed in this release.
    savIRC :: The Multi-Platform IRC Client v. 1.8 [Released 9.04.02]

  2. #2
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    Thanks for the post...
    I will have to update NOW ! ! !
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  3. #3
    Member
    Join Date
    Jan 2002
    Posts
    37
    I run SSH on my linux server...thank you very much for this information, it is greatly appreciated

    Andrew

  4. #4
    Thank for for that information, I'll be upgrading REAL soon !!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •