OpenSSH-3.4 released

ME dugan at passwall.com
Wed Jun 26 11:56:22 PDT 2002


Just as the topic states, the new version of OpenSSH version 3.4 has been
released. One major difference in this when compared to v 3.3, is an
explotable hole in OpenSSHv3.3 (without Privilege Separation enabled) has
been fixed. (Version prior to 3.3 without priviliege separation are also
at risk.)

This means that you should be able to technically run OpenSSH-3.4 without
privilege separation if you wish and still have a patch against a hole
found by ISS.

If you run OpenSSH-3.3 *with*
UsePrivilegeSeparation yes
(or at least without "UsePrivilegeSeparation no" since yes is the new
default) the present known exploit should not lead to remote root with
the present known exploit and bug that was patched.

It also means that black hats will be examining the diffs between
OpenSSH-3.3 and OpenSSH-3.4 and more widely used exploits will be on the
way real soon.

-ME

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++ 
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ !PGP
t at -(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html



More information about the talk mailing list