the openssh exploit

To: debian-security@lists.debian.org
Subject: the openssh exploit
From: Paul Baker <pbaker@where2getit.com>
Date: Mon, 24 Jun 2002 23:00:46 -0500
Message-id: <[🔎] 2099CE7E-87F0-11D6-8A0B-0003937562B8@where2getit.com>

Does anyone know if the openssh exploit that 3.3 is supposed to not fix,but do damage control for, is it still exploitable if you have set your/etc/hosts.deny to deny all hosts, and then /etc/hosts.allow to onlyallow from trusted ips.

In other words, if a malicious ssh request comes from an ip that isalready denied via tcp_wrapper support in ssh, will it still be able toexploit OpenSSH < 3.3?


I'm not on the list, so cc me please.

--
Paul Baker

"They that can give up essential liberty to obtain a little temporarysafety deserve neither liberty nor safety."

         -- Benjamin Franklin, 1759

GPG Key: http://homepage.mac.com/pauljbaker/public.asc


--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: the openssh exploit
  - From: David B Harris <eelf@sympatico.ca>
- Re: the openssh exploit
  - From: Anthony DeRobertis <asd@suespammers.org>

Prev by Date: Re: open ssh exploit - user not getting created
Next by Date: Re: open ssh exploit - user not getting created
Previous by thread: Re: open ssh exploit - user not getting created
Next by thread: Re: the openssh exploit
Index(es):
- Date
- Thread