[rescue] OpenSSH (was: Security lockdown)
rescue at sunhelp.org
rescue at sunhelp.org
Tue Jun 25 00:33:09 CDT 2002
> Just lurking on the thread and came across this which was posted
> yesterday, figured it kind of fitted.
>
> http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102495293705094
It does fit, since one of the other things I do as part
of my "standard" lockdown is to install OpenSSH. I'm
still on the devel list, although the kluge I had written
to produce an OpenSSH pkgadd-installable package has
been replaced with a better kluge.
For anyone who hasn't looked at the message, let me summarize:
1. There's a new bug in OpenSSH. Fix not yet available.
2. If you're not using OpenSSH, wait until 3.3.1p1 so that
you get the fix for the latest bug (once ISS and the core
OpenSSH developers come up with a fix.) You *do* need
to install OpenSSH unless you only ever use your system
from the console, though...
3. If you're currently using OpenSSH, then you want to move
to 3.3p1 (A/K/A 3.3.0p1) to get the latest greatest code
with PrivSep, that will help protect you against many
types of bugs. It won't necessarily protect you against
the latest bug, though. It *should*, but... =8-(
4. If anyone wants pre-built OpenSSH packages for Solaris
(and trusts me to build them) or wants help in building
them, then contact me off-list.
5. There *is* no number 5. These are not the bug reports
you're looking for.
--Rip
More information about the rescue
mailing list