At 12:23 Uhr -0400 26.06.2002, Chris Devers wrote: >[This is really aimed at fink-devel, but I've cc'ed -users too as >I'm not sure if I'm properly subscribed to -devel at the moment...]
Ugh, not good, in that case only send to fink-users, but please don't cross post unless it is absolutly necessary, and then, send the messages seperatly to each list. >There's a remote security exploit in versions of OpenSSH prior to >this week's release of 3.4. > >From: http://slashdot.org/article.pl?sid=02/06/26/1547242 > > Dan writes: "OpenSSH 3.4 has been released and will be > shortly available on all mirrors. All versions of > OpenSSH's sshd between 2.9.9 and 3.3 contain an input > validation error that can result in an integer overflow > and privilege escalation. OpenSSH 3.4 fixes this bug." > And kylus writes: "The previously-mentioned > vulnerability in OpenSSH has been disclosed by ISS > X-Force today on the BugTraq list. This is a potential > remote root compromise, and while there is a workaround, > it's advised that users upgrade to version 3.4 as soon > as they can." > >http://online.securityfocus.com/archive/1/278818/2002-06-23/2002-06-29/0 > >Fink is currently providing a package for 3.2.2, which is one of >the vulnerable versions. Will an upgrade be coming out, Max? Yes. However, please folks, don't spread panic. ChallengeResponseAuthentication is off by default, and only when it is on does any danger exist. Hence for the vast majority of SSH users there is *NO* risk involved currently. Of course an updated package will be put out shortly, but it's not all that bad as one might get the impression. Max -- ----------------------------------------------- Max Horn Software Developer email: <mailto:[EMAIL PROTECTED]> phone: (+49) 6151-494890 ------------------------------------------------------- This sf.net email is sponsored by: Jabber Inc. Don't miss the IM event of the season | Special offer for OSDN members! JabberConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn _______________________________________________ Fink-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-devel