On Wed Jun 26, 2002 at 05:40:25PM +0200, Oden Eriksson wrote: [...] > > Probably not a good idea. privsep is the official workaround to an > > undisclosed remote root in openssh; the fix for this hole will be > > available when the information is provided; having privsep enabled > > with some uncomfortable side-effects for a week is a helluvalot more > > comfortable than getting rooted. > > As so many times before..., I spoke too soon. Now that I've read more about > it I realize the threat.
=) And it's now public... expect the exploits any hour now. > > If you are tempted to disable privsep, I would encourage you to shut > > off sshd entirely. If that's not possible, use privsep and, as they > > say, grin and bear it. > > No, I will use it, there's currently no other option it seems. Not really. Except upgrading to 3.4 and then you can turn privsep off since the vulnerability is fixed. > > system wide. I haven't had a chance to announce it yet, but it's > > already on the FTP sites. It won't show in MandrakeUpdate because it > > is a new package (and only needed for people interested in rebuilding > > srpms). > > Very nice, I will check it out ASAP. /me still has to announce it > > > Oh.., I found another missing file in the openssh package (+ some minor > > > fixes), a patch is attached. > > > > Thanks.. I'll take a look at it shortly. Trying to do my part in > > helping the openssh developers iron out some bugs in the privsep code. > > Cool. Well, 3.4 looks a little better, but still problems with PAM. I hope a 3.4.1 fixes all of the PAM issues, but until then, 3.4 is your best bet (you can use it without privsep if you are really concerned about expired passwords, etc.). In cooker, and building it for updates. This one will be going thru QA so the packages won't be available today for updates. -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" {GnuPG: 1024D/FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD} Current Linux kernel 2.4.18-6.10mdk uptime: 18 days 15 hours 25 minutes.
msg66677/pgp00000.pgp
Description: PGP signature
