Subject: Re: Fwd: OpenSSH UseLogin proof of concept exploit
To: Jonathan R. Hinds <email@example.com>
From: Lubomir Sedlacik <salo@Xtrmntr.org>
Date: 12/06/2001 04:07:02
Content-Type: text/plain; charset=us-ascii
On Wed, Dec 05, 2001 at 06:55:20PM -0800, Jonathan R. Hinds wrote:
> I am fairly sure this has been fixed as of OpenSSH 3.0.2p1 -- released
> December 2nd.
that could be true. i do not argue. but there is nothing at OpenSSH's websi=
about this vulnerability (http://www.openssh.com/security.html), there was =
security advisory sent to firstname.lastname@example.org. and afaik, i haven't se=
this anywhere except today's post to vuln-dev (nothing in bugtraq, ..).
you are right, there is mail about this sent to openssh-unix-dev:
thank you for pointing this out.
though i still think there should be NetBSD security advisory released and
appropriate patches made. not every user of NetBSD is subscribed there and
someone could have UseLogin allowed for various reasons.
-- Lubomir Sedlacik <salo@Xtrmntr.org> ASCII Ribbon campaign against /"\=
-- <email@example.com> e-mail in gratuitous HTML and \ /=
-- Microsoft proprietary formats X =
-- PGPkey: http://Xtrmntr.org/salo.pgp / \=
-- Key Fingerprint: DBEC 8BEC 9A90 ECEC 0FEF 716E 59CE B70B 7E3B 70E2 =
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----