Subject: Re: OpenSSH Priv Sep and Remote Exploit?
To: Mark E. Perkins <email@example.com>
From: None <firstname.lastname@example.org>
Date: 06/26/2002 21:47:21
>1) I'm running NetBSD 1.5 and recently updated ssh via pkgsrc to 3.2.3p1. I
>updated my pkgsrc tree last night (pkgsrc.tar.gz date of 22 June), but
>pkgsrc/security/openssh/Makefile still shows the version I installed (i.e.,
>rev 1.72 and openssh-3.2.3p1). Did I somehow manage to pull the wrong
>pkgsrc tree (mine came from /pub/NetBSD/NetBSD-current/tar_files)? If not,
>when can we expect to see 18.104.22.168 in pkgsrc?
not sure. mirroring delays?
>2) In the interim, is it sufficient to enable UsePrivilegeSeparation (in
>.../sshd_config) for 3.2.3p1, add the sshd user (which required creating
>/var/empty)? Based on earlier comments in this thread, this seems to be
>enough (I see an sshd-user-owned sshd when I connect with ssh).
it should be sufficient if you explicitly enable UsePrivilegeSeparation