Re: OpenSSH and debian?

To: Diederik de Vries <diederik@netnation.nl>, debian-security@lists.debian.org
Subject: Re: OpenSSH and debian?
From: xbud <xbud@hackphreak.org>
Date: Tue, 6 May 2003 10:49:29 -0600
Message-id: <200305061049.29922.xbud@hackphreak.org>
In-reply-to: <1052236056.14197.9.camel@vaio.diederik.nl>
References: <1052236056.14197.9.camel@vaio.diederik.nl>

Yes,
It's somewhat of a new bug that spawned from the media service advisory on 
user enumeration via a timing issue if OpenSSH is compiled with PAM support.

It's not a remote root per say, but mainly an enumeration weakness.

By applying 'nodelay' option for pam_unix.so, this 'feature' is remedied.

On Tuesday 06 May 2003 09:47, Diederik de Vries wrote:
> Hi there!
>
> Today I was surfing on SecurityFocus, and saw that there was a hole in
> OpenSSH (http://www.securityfocus.com/bid/7482/info/). Debian Potato
> uses OpenSSH 3.1 p1, which seems to be exploitable.
>
> Is this true, am I missing something or what?
>
> Thanks!
>
>
> Diederik de Vries
> Netnation Europe
>
> Heemraadsingel 188
> 3021 DM Rotterdam
> T: +31-10-4776515
> F: +31-10-2440250

-- 
------------------------------
Orlando Padilla
http://www.g0thead.com/xbud.asc
"I only drink to make other people interesting" 
------------------------------

Reply to:

References:
- OpenSSH and debian?
  - From: Diederik de Vries <diederik@netnation.nl>

Prev by Date: Re: OpenSSH and debian?
Next by Date: Re: OpenSSH and debian?
Previous by thread: Re: OpenSSH and debian?
Next by thread: Re: OpenSSH and debian?
Index(es):
- Date
- Thread