[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 27 June 2002 2:02 pm, Simon Waters wrote:
Anyone know about SUN Cobalt Raq Linux yet?I think the HP-UX advisory sums it up nicely, "disable challengeResponse, disable KeyboardIntAuth, and await 3.4" sums up the approach nicely, now if they had said that at first Zozo could have got more sleep this week, he always sounds like he needs more.
Pah! sleep! whats that? ;) I've got myu rocket fuel and penguin mints (as well as the proplus) to keep me alive and kicking :p Seriously though, i'm not at *all* impressed by the way this vunrability has been dealt with, ISS should be shot dead - they've been the root cause of all the hastle this week (except maybe the icecast vunrabilities). Theo (the OpenBSD one, not me :p) didn't sign his messages, which left me until yesterday afternoon (when openBSD updated the website) in 2 minds about it. and he didn't even mention that some boxes wen't affected (infact, i don't *think* any default linux distro is affected - debian isn't, thats for sure.) then ohh yay, i've just got yet *another* security advisory through (YASA?;)):
ISS X-Force released an advisory about an OpenSSH "Remote Challenge Vulnerability". Unfortunately, the advisory was incorrect on some points, leading to widespread confusion about the impact of this vulnerability.
no kidding.
No version of OpenSSH in Debian is affected by the SKEY and BSD_AUTH authentication methods described in the ISS advisory.
and just as i start to be happy....
However, Debian does include OpenSSH servers with the PAM feature described as vulnerable in the later advisory by the OpenSSH team. (This vulnerable feature is authentication using PAM via the keyboard-interactive mechanism [kbdint].) This vulnerability affects OpenSSH versions 2.3.1 through 3.3. No exploit is currently known for the PAM/kbdint vulnerability, but the details are publicly known.
oh yay. thank god we don't have PAMAuthenticationViaKbdInt on.
All of these vulnerabilities were corrected in OpenSSH 3.4.
which means the last 3 hours spent upgrading the servers, again. woo hoo. so it's not just BSD_AUTH and SKEY - also PamInteractive is possibly vunrable - - luckily debian sets off by default.
Oh and a mod_ssl bug in Apache made it to BugTraq - only relevant to people who share Apache instances between clients if I read it right - it never rains but it pours.
yes - and guess what - it affects us. ARGHHH. at least on OpenBSD, maybe linux, too. IF ANYONE ELSE RELEASES ANOTHER VUNRABILITY THIS WEEK IM GOING TO KILL THEM PERSONALLY. ;-) my favourite part of security notices has to be the 'workaround' section. mod_ssl's is: "Disallow per-directory configuration files by only having 'AllowOverride None' directives in your httpd.conf file, and restart the webserver." that should probably be rephrased: "Disallow per-directory configuration files by only having 'AllowOverride None' directives in your httpd.conf file, restart the webserver, and redirect your support email address to /dev/null." the best one had to be a solaris one a few years back, that recommended shutting down portmap and all nfs related systems until the problem is fixed, which they mentioned would probably be a few days. Great, except portmap was running to provide shared filesystesm over all the webservers ;p
Perhaps Theo will give me a job patching things.
CPO? Chief Patch Officer ? ;) mnybe also we could have Patch Manager, and Bugtraq-mailing-list-reader, too. It's needed this week ;) i need a new job, too :p and even more fun : [Thu Jun 27 14:35:57 2002] Transfer-Encoding: chunked - denied and logged [Thu Jun 27 14:35:57 2002] Invalid error redirection directive: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAhGGGGã1ÀPPPPÆ$SPP1Ò1ɱÁá▒Ñê1À°Ír ÊÿD$|$ ué1ÀD$ÆD$ dD$ D$D$T$▒T$▒$1À°]Í1ÉÑ,$s'1ÀPPPPÿ$Tÿ$ÿ$ÿ$ÿ$QP°ÍXXXXX<Ot XXAù uÎë½1ÀPQP1À°ZÍÿD|uï1ÀPÆ$ 4$hBLE*h*GOBã° PS°PP°Í1ÀPhn/shh//biãPSáPQSP°;ÍÌ ==-=-=-=- thank god for that. yay yay aya. ~ Theo, as always, fully awake and spelling terrible ;) - -- Theo Zourzouvillys http://zozo.org.uk/ Q: Why did the germ cross the microscope? A: To get to the other slide. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9Gxe1448CrwpTn6YRAiGQAJ91N84RJIhIuqoA2loA2wiGR83sVQCg9qfS kwdXzQDIvh4J8vAUz8Lal00= =bOR5 -----END PGP SIGNATURE----- -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.