[plug] If you use OpenSSH *anywhere* NOW is the time to update it (oh and PHP (And some radius too))

Craig Foster fostware at iinet.net.au
Fri Mar 8 17:08:54 WST 2002 

Before everyone gets paranoid, it mostly works with a valid account
already. (It's in the link)

Debian packages should be available real soon now, and replacement
packages for other distributions will come soon.

RPMs and source are available to upgrade to OpenSSH 3.1 at:-
http://www.openssh.org

Check with your vendors.

More importantly has everyone updated their PHP4 or at least set it to not
do File Uploads? That *doesn't* need a password :(

1) There is a patch release to PHP 4.1.2 which apparently addresses the
PHP vulnerabilities, but you have to get both patches.
2) Even if you're running PHP scripts that do not utilize file uploads,
you're still vulnerable unless you disable the file uploads  in php.ini)
and...
3) if you DO disable the file uploads in php.ini, you can't send messages
through any PHP webmail you may be running.

See http://bugs.php.net/bug.php?id=15772 for more

And if you run RADIUS? Well there's some research you'd already know
about.

And all this after a hell of an SNMP week :)

If you haven't a clue what I'm talking about, I'd suggest keeping an eye
on security websites like cert.org and securityfocus.com (or maybe even
theregister.co.uk, but that's a stretch :)

Regards,

Craig Foster

> -----Original Message-----
> From: Leon Brooks [mailto:leon at brooks.fdns.net]
> Sent: Friday, 8 March 2002 4:06 PM
> To: Perth Linux User Group
> Subject: [plug] If you use OpenSSH *anywhere* NOW is the
> time to update
> it
>
>
> No known exploits yet but pretty scary:
>
>     http://www.pine.nl/advisories/pine-cert-20020301.txt
>
> So... where do you use OpenSSH? On your home boxes? Work
> boxes? Customers of
> customers? Prepackaged stuff that you sold and others set
> up? Friends' boxes
> that you forgot you even touched? Clubs? Charities? A data
> logger stuck on a
> hill near Paraburdoo or Sandfire?
>
> Anyone interested in a Dynamic DNS setup so that when this
> next happens you
> can find everyone as they dial in? (-:
>
> Cheers; Leon
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2228 bytes
Desc: not available
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20020308/67735a74/attachment.bin>

More information about the plug mailing list