OpenSSH Security Advisory: portable-keysign-rand-helper.adv
This document may be found at:
http://www.openssh.com/txt/portable-keysign-rand-helper.adv
1. Vulnerability
Portable OpenSSH's ssh-keysign utility may allow unauthorised
local access to host keys on platforms if
a previous version of jBCrypt will
not verify using jBCrypt-0.3. This may necessitate re-hashing of such
passwords.
This bug was responsibly disclosed by Aliaksandr Radzivanovich.
Damien Miller d...@mindrot.org
February 1, 2010
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (OpenBSD
On Mon, 24 Nov 2008, Nick Boyce wrote:
[ahem] ... Sorry to be dumb, but ...
On Fri, Nov 21, 2008 at 10:19 AM, Damien Miller [EMAIL PROTECTED] wrote:
Based on the description contained in the CPNI report and a slightly
more detailed description forwarded by CERT this issue appears
OpenSSH Security Advisory: cbc.adv
Regarding the Plaintext Recovery Attack Against SSH reported as
CPNI-957037[1]:
The OpenSSH team has been made aware of an attack against the SSH
protocol version 2 by researchers at the University of London.
Unfortunately, due to the report lacking any
On Tue, 13 Feb 2007, Gadi Evron wrote:
We all agree it is not a very likely possibility, but I wouldn't rule it
out completely just yet until more information from Sun becomes
available.
What more information do you need? You have an advisory, access to the
source code, access to the change
On Mon, 27 Nov 2006, Werner Koch wrote:
GnuPG 1.4 and 2.0 buffer overflow
==
[snip]
The code in question has been introduced on July 1, 1999 and is a
pretty obvious bug. make_printable_string is supposed to replace
possible dangerous
On Mon, 17 Apr 2006, Brett Glass wrote:
It seems to me that sshd should not tip its hand by returning
different responses when a user ID can be used for logins than when
it can't -- allowing an attacker to focus password guessing attacks
on user IDs with which it would have a chance of
On Fri, 3 Feb 2006, [EMAIL PROTECTED] wrote:
the cleartext password came into the log file because someone
has been out of concentration and entered the password instead of
the username in some client for connecting to a ssh server.
Seeing what accounts people are trying to log into is also
Crist J. Clark wrote:
Any program that asks for a password on the command line should have
the common decency to overwrite/obfuscate it, along the lines of,
case 'p':
passwd = optarg;
optarg = ;
break;
So that it doesn't show up in any ps output.
That works only for OSs which
