Subject: Re: OpenSSH Priv Sep and Remote Exploit?
To: None <tech-pkg@netbsd.org, tech-security@netbsd.org>
From: Mark E. Perkins <perkinsm@bway.net>
List: tech-pkg
Date: 06/26/2002 08:44:54
--On Tuesday, June 25, 2002 11:14 +0900 itojun@iijlab.net wrote:

> 	users of NetBSD 1.4 and 1.5 are strongly recommended to upgrade
> 	openssh by using pkgsrc, namely pkgsrc/security/openssh/Makefile
> 	revision 1.73 (openssh-3.3.0.1).
> 
> itojun

I have some comments/questions on this....

1) I'm running NetBSD 1.5 and recently updated ssh via pkgsrc to 3.2.3p1. I
updated my pkgsrc tree last night (pkgsrc.tar.gz date of 22 June), but
pkgsrc/security/openssh/Makefile still shows the version I installed (i.e.,
rev 1.72 and openssh-3.2.3p1). Did I somehow manage to pull the wrong
pkgsrc tree (mine came from /pub/NetBSD/NetBSD-current/tar_files)? If not,
when can we expect to see 3.3.0.1 in pkgsrc?

2) In the interim, is it sufficient to enable UsePrivilegeSeparation (in
.../sshd_config) for 3.2.3p1, add the sshd user (which required creating
/var/empty)? Based on earlier comments in this thread, this seems to be
enough (I see an sshd-user-owned sshd when I connect with ssh).

Thanks,
Mark