| Author |
Message |
caker
Joined: 15 Apr 2003
Posts: 2386
Location: Galloway, NJ
|
| Posted: Tue Sep 16, 2003 2:21 pm Post subject: OpenSSH security fix |
|
|
RedHat, Gentoo, and Debian (at least) contain a security vulnerability in OpenSSH which will allow someone to remotely execute code as root.
Red Hat's Errata Page:
https://rhn.redhat.com/errata/RHSA-2003-279.html
To upgrade, run the following commands (for Debian and RedHat)
apt-get update
apt-get install openssh
Please make sure your SSH daemons are either patched or upgraded.
Word,
-Chris |
|
| Back to top |
|
kenny
Joined: 27 Jun 2003
Posts: 66
|
| Posted: Tue Sep 16, 2003 3:45 pm Post subject: Re: OpenSSH security fix |
|
|
updates.redhdat.com wrote: There are too many connected users, please try later.
weeee......
Has anyone ever used lsh? I'd really like to quit running openssh as these types of problems seem to be pretty common. I wish Dan Bernstein would write a ssh server :lol:
Kenny |
|
| Back to top |
|
qbatqbat
Joined: 02 Jul 2003
Posts: 13
Location: UK
|
| Posted: Wed Sep 17, 2003 7:30 am Post subject: SSH again |
|
|
Depending on when you followed Chris' instructions regarding yesterday's vulnerability, you may need to upgrade SSH again:
Quote:
- ------------------------------------------------------------------------
Debian Security Advisory DSA-382-2 security@debian.org
http://www.debian.org/security/ Wichert Akkerman
September 17, 2003
- ------------------------------------------------------------------------
Package : ssh
Vulnerability : buffer handling
Problem type : possible remote
Debian-specific: no
CVS references : CAN-2003-0693 CAN-2003-0695
This advisory is an addition to the earlier DSA-382-1 advisory: two more
buffer handling problems have been found in addition to the one
described in DSA-382-1. It is not known if these bugs are exploitable,
but as a precaution an upgrade is advised.
For the Debian stable distribution these bugs have been fixed in version
1:3.4p1-1.woody.2 .
Please note that if a machine is setup to install packages from
proposed-updates it will not automatically install this update.
|
|
| Back to top |
|
caker
Joined: 15 Apr 2003
Posts: 2386
Location: Galloway, NJ
|
| Posted: Wed Sep 17, 2003 7:19 pm Post subject: |
|
|
Sure enough, the Red Hat repository contains a newer version than the one from yesterday afternoon.
apt-get update
apt-get install openssh
Also note that I haven't updated the distros to contain these (and potentially other) security fixes. First thing out the door you should do with any new install is make sure it is up to date. (apt-get update; apt-get upgrade)
-Chris |
|
| Back to top |
|
| |
