[plug] X11 connection rejected with updated ssh

Bill Kenworthy billk at iinet.net.au
Fri Sep 26 10:11:42 WST 2003 

Sorry, cant make much sence of what you wrote:  I have a redhat 7.0 box
that is no longer supported, so I just installed the ssh from openssh. 
No RPMs as they are getting an utter pain to build and install (spoiled
by gentoo!).

Unless you have patched a previous version to fix the hole, I read the
situation as that you are more vulnerable keeping older versions such as
3.6p2 than installing 3.7.1p2.  The pam problems are related to new code
to handle the pam stuff in 3.7, and while they acknowledge there is a
hole, it is nowhere near as serious as the older code, and no exploit
existed for it the last time I checked, and only those using PAM (which
unfortunately is redhat) are affected.

If you have a redhat rpm that has the patches/3.7 code you are
relatively safe, if waiting, you are not.

BillK

On Fri, 2003-09-26 at 09:57, James Devenish wrote:
> In message <1064540324.3703.4.camel at bunyip.murdoch.edu.au>
> on Fri, Sep 26, 2003 at 09:38:44AM +0800, Bill Kenworthy wrote:
> > You might want to reconsider as I believe that prior to 3.7, there is an
> > exploit in the wild for some months and it apparently has been used to
> > hack into boxes.
> [...]
> > Basicly, if you are not running the latest version, you are
> > vulnerable.
> 
> I'm not sure if you were replying to me or to Leon and his 3.6p2. If me,
> you are implying that the code flaw has not been identified but is
> nevertheless absent from 3.7.1p2. That is to that: if the nature of the
> flaw were known, a security alert would have been made and the patch
> should have made its way into RedHat's errata. The URL I gave was to fix
> the vulnerabilties up to 3.7.1p1. Having a look around RedHat Network, I
> can't see that they released any RPM for 3.7.1p2. If RedHat backported
> the PAM-related bugs, then people will have to make/find their own RPMs
> for the time being. But if the PAM bugs were not backported, then it
> would be safer to use one of RedHat's old versions than 3.7.1p1 (and
> there wouldn't be a need to upgrade to 3.7.1p2 on account of the PAM
> flaws).
> 
> 
> _______________________________________________
> plug mailing list
> plug at plug.linux.org.au
> http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug

_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug

More information about the plug mailing list