On Mon, Oct 02, 2006 at 02:25:05PM -0700, Colin Percival wrote: > Theo de Raadt wrote: > >> The OpenSSH project believe that the race condition can lead to a Denial > >> of Service or potentially remote code execution > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Bullshit. Where did anyone say this? > > The OpenSSH 4.4 release announcement says that, actually: > > * Fix an unsafe signal hander reported by Mark Dowd. The signal > handler was vulnerable to a race condition that could be exploited > to perform a pre-authentication denial of service. On portable > OpenSSH, this vulnerability could theoretically lead to > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > pre-authentication remote code execution if GSSAPI authentication > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > is enabled, but the likelihood of successful exploitation appears > remote.
Theo: Maybe you should put people in charge who can read their own release announcements before flaming a mailing list. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
