-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To: Secure Shell
Subject: Multiple PAM vulnerabilities in portable OpenSSH Date: Sep 23 2003 12:40PM Author: Damien Miller <djm cvs openbsd org> Message-ID: <[EMAIL PROTECTED]> Subject: Portable OpenSSH Security Advisory: sshpam.adv This document can be found at: http://www.openssh.com/txt/sshpam.adv 1. Versions affected: Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). The OpenBSD releases of OpenSSH do not contain this code and are not vulnerable. Older versions of portable OpenSSH are not vulnerable. 2. Solution: Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM support ("UsePam no" in sshd_config). Due to complexity, inconsistencies in the specification and differences between vendors' PAM implementations we recommend that PAM be left disabled in sshd_config unless there is a need for its use. Sites only using public key or simple password authentication usually have little need to enable PAM support. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/cKj6Ji2cv3XsiSARAgSXAKCnphtbWIwF2kxwYspPwcnQ2nC1HgCdFQqo nFIlRMEGrI/7QvUcVCwYL7o= =jsqb -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
