Subject: Re: OpenSSH Priv Sep and Remote Exploit?
To: Mark E. Perkins <>
From: None <>
List: tech-security
Date: 06/26/2002 21:47:21
>1) I'm running NetBSD 1.5 and recently updated ssh via pkgsrc to 3.2.3p1. I
>updated my pkgsrc tree last night (pkgsrc.tar.gz date of 22 June), but
>pkgsrc/security/openssh/Makefile still shows the version I installed (i.e.,
>rev 1.72 and openssh-3.2.3p1). Did I somehow manage to pull the wrong
>pkgsrc tree (mine came from /pub/NetBSD/NetBSD-current/tar_files)? If not,
>when can we expect to see in pkgsrc?

	not sure.  mirroring delays?

>2) In the interim, is it sufficient to enable UsePrivilegeSeparation (in
>.../sshd_config) for 3.2.3p1, add the sshd user (which required creating
>/var/empty)? Based on earlier comments in this thread, this seems to be
>enough (I see an sshd-user-owned sshd when I connect with ssh).

	it should be sufficient if you explicitly enable UsePrivilegeSeparation
	with 3.2.3p1.