9/22 OpenSSH 3.7.1p2 (portable, ie non-OpenBSD) has been released.
There are multiple vulnerabilities with the PAM auth code in
3.7.1p1, so if you use PAM (Solaris/Linux) you should upgrade.
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106432248411636&w=2
\_ Is there an sshd that just works? I'd be happy with a v2 sshd
without holes that just allows simple logins. Any other features
after that would be a bonus. Any suggestions? Please?
\_ Sigh. OpenSSH "just works". It's just that its vulnerabilities
are declared and found more frequently than commercial SSH
daemons. Not saying those are any better or worse, but you are
deluding yourself if you think that any piece of cryptographic
software is "secure" just because no bugs are ever publicly
announced. Patching system components is a part of life as a
sysadmin, get used to it. -John
\_ I am all for opensource but doesn't it bring as much harm
as benefit in terms of security? Sure patchs are made on
more frequently, but isn't it much easier in theory to find a
bug to exploit when the source is available than otherwise?
\_ Do you occasionally look at Bugtraq? I suggest you do,
if only to make it clear that having a commercial program
doesn't add much in the way of security. Ask Microsoft.
"Better the devil you know"... -John
\_ I'm not making my point. I can see that. I don't care
who wrote it or why or where it comes from. I just want
an sshd with minimal features and fewer holes than what
openssh has. If you don't know of one, thanks, that's
ok.
\_ would you prefer to know that holes are being found and
patched at the cost of having to upgrade, or instead
not know about holes and ignore upgrades in ignorant bliss?
\_ I'm not making my point. I can see that. I don't care
who wrote it or why or where it comes from. I just want
an sshd with minimal features and fewer holes than what
openssh has. If you don't know of one, thanks, that's
ok.
\_ You're very clear--I'm simply saying that OpenSSH
is pretty much "it" for open-souce sshd, and with
the non-open source ones, no, you probably won't be
patching so often, but that says nothing about the
amount of holes in them. -John
\_ I don't care if the alternative is commercial or not. I just
want something I won't be patching three times in a week. I'm
not concerned with open vs commercial philosophy.
\_ It's nothing to do with commercial or open source. It's
a question of security. If all you care about is not
patching something, then don't run OpenSSH. This is
what's known as 'sticking your head in the sand'. And
yes, what you don't know _can_ hurt you. Your call. -John
\_ I'm not making my point. I can see that. I don't care
who wrote it or why or where it comes from. I just want
an sshd with minimal features and fewer holes than what
openssh has. If you don't know of one, thanks, that's
ok.
\_ Argh! Nooo! Is this a joke? I had already had to upgrade OpenSSH
on nearly 200 hosts -twice- during last week.
What the #$(@)@*!!
\_ Pride goeth before a fall.
\_ Pride goes before destruction, a haughty spirit
before a fall. Proverbs 16:18
\_ That's why it makes sense to wait to upgrade. OpenSSH
*always* has one or two patches out within a week. --dim
\_ wait a week to upgrade while getting hacked in the meantime?
swell idea, i wish i'd thought of it.
\_ There are no known exploits for this vulnerability, nor for
most of the ones being found lately. "It is uncertain
whether these errors are potentially exploitable,
however, we prefer to see bugs fixed proactively." --dim
\_ so says them. securityfocus paints a different picture.
in any case, better safe than sorry.
\_ More than once the "new" OpenSSH has been more flawed
than the original. An example was when the privilege
separation code was first added. It is common for
the OpenSSH folks to fix a bug and then have to
fix their fix. Hence, we are at p2 already. Just wait
for the bozos to figure it out unless the bug is
easily exploited. --dim
\_ they're not exactly fixing their fix. they somewhat
hastily made a release with *new* functionality,
which was probably not well-tested. so just patch
the old 3.6.1p2 and you're fine.
\_ Jesus fucking Christ! Is there a simple v2 sshd out there that
just works?! I don't need all the whiz bang features, just a
login shell. If it could port forward that would be a bonus
but I could survive without it if it meant I could stop the
upgrade madness.
\_ what's this whole upgrade madness? it's been a while since
the last major openssh scare. fwiw, maybe you should've just
patched 3.6.1 and been done with it.
\_ lsh might be what you are looking for. Keep in mind that
OpenSSH has a larger user base, developer base and h4x0r
base so gets more auditing.
\_ and lsh had its own remote exploitable bug days later.
so what's the difference.
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106432248411636&w=2 |
http://csua.com/feed/