[SECURITY-L] OpenSSH 3.4 released

Daniela Regina Barbetti Silva daniela em ccuec.unicamp.br
Qua Jun 26 13:09:42 -03 2002 

Srs Administradores,

 
   Foi descoberto um bug sério de segurança no OpenSSH (versoes 2.9.9
   a 3.3).
   Orientamos que seja dado um upgrade, o mais rapido possivel, para a
   versao 3.4.

   Se nao for possivel fazer o upgrade de imediato entao altere
   a configuracao do sshd para evitar possiveis invasoes: 
   - Editar o arquivo /etc/ssh/sshd_config
   - Incluir a linha "ChallengeResponseAuthentication no"
   - Restartar o sshd:
     - kill -9 <numero_do_processo_do_sshd>
     - /usr/sbin/sshd


--
Equipe de Seguranca em Sistemas e Redes
Unicamp - Universidade Estadual de Campinas
mailto:security em unicamp.br
http://www.security.unicamp.br


----- Forwarded message from Markus Friedl <Markus_Friedl em genua.de> -----

From: Markus Friedl <Markus_Friedl em genua.de>
Subject: [S] OpenSSH 3.4 released
To: misc em openbsd.org
Date: Wed, 26 Jun 2002 16:40:27 +0200

OpenSSH 3.4 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

We would like to thank the OpenSSH community for their continued
support and encouragement.


Changes since OpenSSH 3.3:
============================ 

Security Changes:
=================

  All versions of OpenSSH's sshd between 2.9.9 and 3.3
  contain an input validation error that can result in
  an integer overflow and privilege escalation.

  OpenSSH 3.4 fixes this bug.

  In addition, OpenSSH 3.4 adds many checks to detect 
  invalid input and mitigate resource exhaustion attacks.

  OpenSSH 3.2 and later prevent privilege escalation
  if UsePrivilegeSeparation is enabled in sshd_config.
  OpenSSH 3.3 enables UsePrivilegeSeparation by
  default.


Reporting Bugs:
===============

- please read http://www.openssh.com/report.html
  and http://bugzilla.mindrot.org/

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller and Ben Lindstrom.


----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L