[plug] X11 connection rejected with updated ssh

Craig Ringer craig at postnewspapers.com.au
Fri Sep 26 10:23:23 WST 2003 

> Sorry, cant make much sence of what you wrote:  I have a redhat 7.0 box
> that is no longer supported, so I just installed the ssh from openssh. 
> No RPMs as they are getting an utter pain to build and install (spoiled
> by gentoo!).

Aha. Well, since you're using a vanilla openssh build, your comments 
earlier make sense.

Many people, especially with newer distros for which security fixes are 
still available from the vendor, use the vendor packages with backported 
security fixes. As such, ssh pre 3.7.1p1 need not mean that they're 
vunerable, as a fix may have been backported by the vendor.

> Unless you have patched a previous version to fix the hole, I read the
> situation as that you are more vulnerable keeping older versions such as
> 3.6p2 than installing 3.7.1p2.  The pam problems are related to new code
> to handle the pam stuff in 3.7, and while they acknowledge there is a
> hole, it is nowhere near as serious as the older code, and no exploit
> existed for it the last time I checked, and only those using PAM (which
> unfortunately is redhat) are affected.

That'll be why there are no patches for the PAM stuff  being released - 
3.7 isn't in distros yet. RH9 uses 3.5.x, Debian Woody uses 3.4.x, etc.

> If you have a redhat rpm that has the patches/3.7 code you are
> relatively safe, if waiting, you are not.

Indeed. All I was trying to point out is that unless you know the origin 
of somebody's copy of openssh, you can't assume it's vunerable based on 
the version number. That said, 3.1p4 is probably too ancient for the 
distro it's built in to have security fixes still coming out (potato? 
RH6.2?) so it's likely to be vunerable.

So, Rob, unless you have backported patches for the security holes and 
have applied them, or found an updated package, you'll probably want to 
be building the latest openssh - at least if your machine is connected 
to the 'net.

Craig Ringer

_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug

More information about the plug mailing list