Re: ssh update or upgrade required? which is it?
On Mon, Jun 24, 2002 at 06:14:18PM -0700, justin cunningham wrote: Hi list, can you please clarify something for me-- this should be pretty straight forward so sorry if the question seems a bit lame. Can you please reply to the email in addition to the list since I'm not currently subscribed. I read this release http://www.debian.org/security/2002/dsa-134 and it says to upgrade to ssh 3.3p1 for woody and that the package for potato hasn't yet been compiled. On my stable boxes I ran apt-get update and it pulled down some patches from security though the only recent post for security updates is this one so was my open ssh from the potato branch updated proficiently or do I need to install this new version? If I need to install ssh 3.3 and want the rest of my box to stay in stable until woody is complete how do I do this? Thanks, Justin According to my traversing through the security updates section via FTP, the ssh version there for potato i386 is 1.2.3-9.4 So no, you haven't fixed the vulnerability via any apt-get upgrades ... You really have two options: download the ssh source and compile it yourself, or wait until the potato update gets done. I presume potato is still being security patched, at least until a bit after Woody is released. - Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh update or upgrade required? which is it?
Chris writes: I presume potato is still being security patched, at least until a bit after Woody is released. There is a fix coming for Potato. It is considerably more difficult. The security team only had four hours notice. -- John Hasler [EMAIL PROTECTED] (John Hasler) Dancing Horse Hill Elmwood, WI -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh update or upgrade required? which is it?
On Monday 24 June 2002 20:51 pm, John Hasler wrote: Chris writes: I presume potato is still being security patched, at least until a bit after Woody is released. There is a fix coming for Potato. It is considerably more difficult. The security team only had four hours notice. After all the flack they've taken about the delays in releasing woody, they deserve a pile of attaboys for getting the woody packages out so quick. -- Bud Rogers [EMAIL PROTECTED] http://www.sirinet.net/~budr All things in moderation. And not too much moderation either. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: ssh update or upgrade required? which is it? [now restricting ssh]
If I wanted to restrict ssh to only listen for my office's ip until it gets patched how do I do this? I tried editing sshd_config and putting my office ip as the listenaddress but it didn't work. What did I do incorrectly? Thanks, Justin ps: please reply to email address as well as deb list. -Original Message- From: Chris Kenrick [mailto:[EMAIL PROTECTED] Sent: Monday, June 24, 2002 6:29 PM To: justin cunningham Cc: debian-user@lists.debian.org Subject: Re: ssh update or upgrade required? which is it? On Mon, Jun 24, 2002 at 06:14:18PM -0700, justin cunningham wrote: Hi list, can you please clarify something for me-- this should be pretty straight forward so sorry if the question seems a bit lame. Can you please reply to the email in addition to the list since I'm not currently subscribed. I read this release http://www.debian.org/security/2002/dsa-134 and it says to upgrade to ssh 3.3p1 for woody and that the package for potato hasn't yet been compiled. On my stable boxes I ran apt-get update and it pulled down some patches from security though the only recent post for security updates is this one so was my open ssh from the potato branch updated proficiently or do I need to install this new version? If I need to install ssh 3.3 and want the rest of my box to stay in stable until woody is complete how do I do this? Thanks, Justin According to my traversing through the security updates section via FTP, the ssh version there for potato i386 is 1.2.3-9.4 So no, you haven't fixed the vulnerability via any apt-get upgrades ... You really have two options: download the ssh source and compile it yourself, or wait until the potato update gets done. I presume potato is still being security patched, at least until a bit after Woody is released. - Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh update or upgrade required? which is it? [now restricting ssh]
On Mon, Jun 24, 2002 at 07:32:45PM -0700, justin cunningham wrote: If I wanted to restrict ssh to only listen for my office's ip until it gets patched how do I do this? I tried editing sshd_config and putting my office ip as the listenaddress but it didn't work. What did I do incorrectly? Thanks, Justin ps: please reply to email address as well as deb list. According to sshd manpage (well at least here on Redhat), if ssh has been compiled with LIBWRAP support, then you can use /etc/hosts.allow and /etc/hosts.deny to achieve what you want. See man 5 hosts_access. Someone else might be so kind as to post the exact syntax. - Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh update or upgrade required? which is it? [now restricting ssh]
On Mon, Jun 24, 2002 at 07:32:45PM -0700, justin cunningham wrote: If I wanted to restrict ssh to only listen for my office's ip until it gets patched how do I do this? I tried editing sshd_config and putting my office ip as the listenaddress but it didn't work. What did I do incorrectly? Debian's sshd knows about libwrap, so you can block people out like so: /etc/hosts.deny: sshd: ALL /etc/hosts.allow: sshd: hosts_that_you_want_to_be_able_to_connect Now, whether this stops the exploit that Theo's bragging about, who knows? No one knows the particulars of it yet. :( It's probably a good idea to always be restricting who can connect to those you WANT to be connecting, in any case. You could also do it with ipchains/iptables, and only let the IP's through that you wanted through. -- Marc Wilson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]