Subject: Re: OpenSSH Priv Sep and Remote Exploit?
To: None <email@example.com, firstname.lastname@example.org>
From: Mark E. Perkins <email@example.com>
Date: 06/26/2002 08:44:54
--On Tuesday, June 25, 2002 11:14 +0900 firstname.lastname@example.org wrote:
> users of NetBSD 1.4 and 1.5 are strongly recommended to upgrade
> openssh by using pkgsrc, namely pkgsrc/security/openssh/Makefile
> revision 1.73 (openssh-220.127.116.11).
I have some comments/questions on this....
1) I'm running NetBSD 1.5 and recently updated ssh via pkgsrc to 3.2.3p1. I
updated my pkgsrc tree last night (pkgsrc.tar.gz date of 22 June), but
pkgsrc/security/openssh/Makefile still shows the version I installed (i.e.,
rev 1.72 and openssh-3.2.3p1). Did I somehow manage to pull the wrong
pkgsrc tree (mine came from /pub/NetBSD/NetBSD-current/tar_files)? If not,
when can we expect to see 18.104.22.168 in pkgsrc?
2) In the interim, is it sufficient to enable UsePrivilegeSeparation (in
.../sshd_config) for 3.2.3p1, add the sshd user (which required creating
/var/empty)? Based on earlier comments in this thread, this seems to be
enough (I see an sshd-user-owned sshd when I connect with ssh).