linux, säkerhet

10732845 2003-09-23 06:40 -0600 /36 rader/ Damien Miller <djm@cvs.openbsd.org>
Importerad: 2003-09-23 19:12 av Brevbäraren
Extern mottagare: openssh-unix-announce@mindrot.org
Extern kopiemottagare: announce@openbsd.org
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: lwn@lwn.net
Extern kopiemottagare: misc@openbsd.org
Extern kopiemottagare: news@linuxsecurity.com
Extern kopiemottagare: openssh-unix-dev@mindrot.org
Extern kopiemottagare: pab@ct.heise.de
Extern kopiemottagare: secureshell@securityfocus.com
Extern kopiemottagare: technik@genua.de
Extern kopiemottagare: timothy@monkey.org
Extern kopiemottagare: webmaster@deadly.org
Mottagare: Bugtraq (import) <29139>
Ärende: Multiple PAM vulnerabilities in portable OpenSSH
------------------------------------------------------------
From: Damien Miller <djm@cvs.openbsd.org>
To: openssh-unix-announce@mindrot.org
Cc: announce@openbsd.org, bugtraq@securityfocus.com, lwn@lwn.net,
 misc@openbsd.org, news@linuxsecurity.com,
 openssh-unix-dev@mindrot.org, pab@ct.heise.de,
 secureshell@securityfocus.com, technik@genua.de, timothy@monkey.org,
 webmaster@deadly.org
Message-ID: <200309231240.h8NCePCd025947@cvs.openbsd.org>

Subject: Portable OpenSSH Security Advisory: sshpam.adv

This document can be found at:  http://www.openssh.com/txt/sshpam.adv

1. Versions affected:

        Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
        vulnerabilities in the new PAM code. At least one of these
        bugs  is remotely exploitable (under a non-standard
        configuration,  with privsep disabled).

        The OpenBSD releases of OpenSSH do not contain this code and 
        are not vulnerable. Older versions of portable OpenSSH are not 
        vulnerable.

2. Solution:

        Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM 
        support ("UsePam no" in sshd_config). 

        Due to complexity, inconsistencies in the specification and
        differences between vendors' PAM implementations we recommend
        that PAM be left disabled in sshd_config unless there is a
        need  for its use. Sites only using public key or simple
        password  authentication usually have little need to enable
        PAM support.
(10732845) /Damien Miller <djm@cvs.openbsd.org>/(Ombruten)
Kommentar i text 10732638 av Kent Engström <kent@unit.liu.se>