Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Vulnerabilities in Portable OpenSSH

michael posted more than 10 years ago | from the will-get-it-right-eventually dept.

Security 324

An anonymous reader writes "The OpenSSH team has uncovered multiple exploitable vulnerabilities in the days-old portable release of OpenSSH. That's right folks: time to patch *again*. 3.7.1p2 is now available. Instructions and mirror list here. Please note that this vulnerability only affects *portable* OpenSSH--so if you are running OpenBSD, you're safe. This vulnerability apparently has to do with PAM, so you can use the 'UsePam no' option in your config file. Info on the advisory here and here."

cancel ×

324 comments

Non-standard configuration (5, Informative)

grub (11606) | more than 10 years ago | (#7036881)


From the article: At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled)

Priviledge Separation saves the day again. I think this is a testament to the forward thinking of the OpenBSD and OpenSSH people: they know that human error introduces potentially exploitable bugs, hence the work that went into PrivSep to minimize the risk.

"The lengths some people will goto to try and damage Theo's pride" [slashdot.org] Most moronic submitter comment ever.

GRUB SUCKS THE RAT CUM OUT OF DEAD RAT CUNTS! FAG! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7036909)

Re SUCKIT FAGG0RRZZ!!! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7037087)

you refill the rat-cunt with your SP00GE, FAG.

Re:Non-standard configuration (1, Redundant)

rsmith-mac (639075) | more than 10 years ago | (#7036925)

Yes, but what happens when PrivSep is exploited? It too is just like any other code: human written, and potentially weak. It's another layer of security that would have to be bypassed, but it's by no means the end of exploits in other code.

Re:Non-standard configuration (4, Insightful)

Frymaster (171343) | more than 10 years ago | (#7036985)

writers looking for a typewriter-with-memory would be better served by Notepad or the Mac equivalent.

your belt may fail
your suspenders may fail

if you're really serious about keeping your pants up, use both!

this is the theory of theo-n-the-openbsd-cats. you used priv sep plus all the other security goodies.

you don't say that doing nightly backups is a "weak" practice because the backups could fail at the same time as your main drive. do you?

Re:Non-standard configuration (1, Funny)

Anonymous Coward | more than 10 years ago | (#7037053)

Minimize the damage:

Become a nudist, and wear a ski-mask over your head.

Re:Non-standard configuration (1)

gl4ss (559668) | more than 10 years ago | (#7037120)

i just have a bigger belly now than when i bought my pants, works excellently.

sure my ass might flash sometime but we all know how easy it is to disable annoying flash ads.

ON WAY MAN (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7037015)

it's written by teh OpenBSD dudes. they are gods among men.

Re:Non-standard configuration (5, Insightful)

grub (11606) | more than 10 years ago | (#7037058)


Having a small amount of the sshd code running as root with the 'sshd' user handling the rest helps make it harder for other exploits. I don't think anyone would suggest that PrivSep makes an exploit impossible, but it is another great layer on the security-onion.

Re:Non-standard configuration (0)

Anonymous Coward | more than 10 years ago | (#7037090)

When will the mods learn that grub is a troll. It is obvious he doesn't know what he's talking about. Anyone with a lick of creativity could have made up that post.

pr0pz grub, you're good at what you do

Re:Non-standard configuration (0)

Anonymous Coward | more than 10 years ago | (#7037116)

troll? there was no goatse.cx link, no blacklungs link, no "RMS is gay" comment...

hmm (4, Funny)

tedtimmons (97599) | more than 10 years ago | (#7036885)

Who is pam, and what did she have to do with openssh?

-ted

Re:hmm (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7036938)

hurr you're a fucking dumbass hurr hurr

Re:hmm (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7036955)

its a fucking authentication module you stupid piece of shit go off and kill yourself you dont even deserve to use the internet

Re:hmm (4, Funny)

r_j_prahad (309298) | more than 10 years ago | (#7037044)

Pam was my ex-wife. She was pluggable by too many.

Re:hmm (0)

Anonymous Coward | more than 10 years ago | (#7037074)

I exploited all of here holes.

AGAIN?!?! What ever happened to checking this in (-1)

Real World Stuff (561780) | more than 10 years ago | (#7036893)

Alpha? Doublecheck in Beta. Then release.

A solution? (4, Funny)

gpinzone (531794) | more than 10 years ago | (#7036911)

This vulnerability apparently has to do with PAM, so you can use the 'UsePam no' option in your config file.

Wouldn't that prevent anyone from loging-in? I guess that's a solution. Why not disconnect the network cable, too?

Re:A solution? (3, Insightful)

Asgard (60200) | more than 10 years ago | (#7036944)

Disabling PAM would only be a problem if you had only allowed PAM-specific authentication methods.

Re:A solution? (0)

Anonymous Coward | more than 10 years ago | (#7036966)

This vulnerability apparently has to do with PAM, so you can use the 'UsePam no' option in your config file.
Wouldn't that prevent anyone from loging-in? I guess that's a solution. Why not disconnect the network cable, too?

Not everyone uses PAM for user authentication, you idiot.

Re:A solution? (0)

Anonymous Coward | more than 10 years ago | (#7037001)

Yeah but the people who don't already say "UsePAM no", you idiot.

Re:A solution? (0)

Anonymous Coward | more than 10 years ago | (#7037061)

No, you're the idiot. Idiot.

Re:A solution? (2, Troll)

Corgha (60478) | more than 10 years ago | (#7036977)

The PAM support in that version of portable OpenSSH is broken, anyway. They ripped the old PAM support out and replaced it with something half-done.

That's why I backported the security patches, instead of upgrading. Now I'm glad that I did.

Re:A solution? Read advisory (1, Informative)

Anonymous Coward | more than 10 years ago | (#7037072)

Advisory [openssh.com]

Subject: Portable OpenSSH Security Advisory: sshpam.adv

This document can be found at: http://www.openssh.com/txt/sshpam.adv

1. Versions affected:

Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
vulnerabilities in the new PAM code. At least one of these bugs
is remotely exploitable (under a non-standard configuration,
with privsep disabled).

The OpenBSD releases of OpenSSH do not contain this code and
are not vulnerable. Older versions of portable OpenSSH are not
vulnerable.

2. Solution:

Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM
support ("UsePam no" in sshd_config).

Due to complexity, inconsistencies in the specification and
differences between vendors' PAM implementations we recommend
that PAM be left disabled in sshd_config unless there is a need
for its use. Sites only using public key or simple password
authentication usually have little need to enable PAM support.

The rumors are true... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7036915)

SSH is dying!!

Patch for x86_64? (0)

Anonymous Coward | more than 10 years ago | (#7036917)

Ive just bought A A64-FX with Debian/FX 3.2 today. When can i apt-get the patch?

Re:Patch for x86_64? (-1)

Seth Finklestein (582901) | more than 10 years ago | (#7036952)

Try searching the web [verisign.com] for more options. I strongly recommend checking out Intel [overture.com] and eBay [overture.com] 's sites.

Re:Patch for x86_64? (0)

Anonymous Coward | more than 10 years ago | (#7037002)

Patch available here [microsoft.com] . :)

Time for a new spin on security practices? (4, Funny)

Anonymous Coward | more than 10 years ago | (#7036921)

Maybe the OSS community needs a Trustworthy Computing initiative =]

Re:Time for a new spin on security practices? (2)

jbottero (585319) | more than 10 years ago | (#7036991)

OpenSSH... A Microsoft product, right? Oppss... Forgot, one can not criticize open source on the same standards we hold "M$" to...

Re:Time for a new spin on security practices? (1)

rajafarian (49150) | more than 10 years ago | (#7037097)

Why not??? From my experience using Linux I would say that is totally the opposite. Linux programmers seem to hold themselves to the highest standards of programming and nothing but the best and most secure is good enough (isn't that where Linux is going?), Microsoft or not.

Incapable developers! (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7036923)

What a pile of broken shit. If they can't code and secure it then they should think about changing the job. Maybe backery or farmer would suit them better.

Re:Incapable developers! (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7037035)

Here, here, my good man! That's "damn straight"!!!! These "open source" wing-nuts can't even code a decent OS!

Re:Incapable developers! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7037185)

What a pile of broken shit. If they can't code and secure it then they should think about changing the job. Maybe backery or farmer would suit them better.

Go back to Germany, you stupid Nazi farmer.

The USA is dying! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7036926)

It is official; UN Statistics now confirms: the USA is dying.

One more crippling bombshell hit the already beleaguered USA when president Bush confirmed that their markets have dropped yet again, now down to less than a fraction their value when he began his term. Coming on the heels of a recent UN survey which plainly states that America has lost its way, this news serves to reinforce what we've known all along. America is collapsing in complete disarray, as fittingly exemplified by being the most hated nation in the world.

You don't need to be a foreigner to predict America's future. The hand writing is on the wall: America faces a bleak future. In fact there won't be any future at all for Americans because the USA is dying. Things are looking very bad for America. As many of us are already aware, as the American economy continues to collapse.

Red ink flows like a river of blood. For all practical purposes, all Americans are dead, or at least should be.

I don't understand (1)

doggkruse (621549) | more than 10 years ago | (#7036942)

Portable SSH? is that the version that is portable to OS X or portable to what? What is the difference between portable ssh and not portable?

Re:I don't understand (3, Informative)

SwansonMarpalum (521840) | more than 10 years ago | (#7036970)

Portable OpenSSH refers to OpenSSH running on some system which is not OpenBSD

Re:I don't understand (0)

Anonymous Coward | more than 10 years ago | (#7036978)

Portable to other things than the OS it was written for -- OpenBSD.

Re:I don't understand (1)

Rosyna (80334) | more than 10 years ago | (#7036979)

If you are wondering about OS X vulnerability... no. It is not affected. It uses OpenSSH 3.4p1 with the CAN-2003-0693 patch. These only seem to affect versions 3.7p1 and 3.7.1p1

Re:I don't understand (4, Informative)

Compenguin (175952) | more than 10 years ago | (#7036994)

From the portable openssh website:
"Normal OpenSSH development produces a very small, secure, and easy to maintain version for the OpenBSD project. The OpenSSH Portability Team takes that pure version and adds portability code so that OpenSSH can run on many other operating systems (Unfortunately, in particular since OpenSSH does authentication, it runs into a *lot* of differences between Unix operating systems)."

Slashdot slow? (0)

Anonymous Coward | more than 10 years ago | (#7037241)

Is it just me, or is Slashdot totally slow, websitewise and networkwise? Like at least 30 secs for a page to come up after clicking.

Re:I don't understand (1)

SirPrize (590850) | more than 10 years ago | (#7036995)

From the OpenSSH [openssh.org] website: "OpenSSH is primarily developed by the OpenBSD Project," ... "Managing the distribution of OpenSSH is split into two teams. One team does strictly OpenBSD-based development, aiming to produce code that is as clean, simple, and secure as possible. " ... " The other team then takes the clean version and makes it portable, by adding the portability "goop" so that it will run on many operating systems (these are known as the p releases, and named like "OpenSSH 3.7.1p1"). "

Re:I don't understand (3, Informative)

V. Mole (9567) | more than 10 years ago | (#7036997)

OpenSSH is OpenBSD specific. "Portable SSH" is what everybody else uses. In other words, the OpenBSD developers (quite reasonably) don't spend any effort making SSH portable off of OpenBSD, and sometimes use OpenBSD specific functions. Other people then spend the time/effort to make run on Linux, etc. There are features (such as, presumably, PAM support) that are not in the core OpenBSD version.

Re:I don't understand (1, Redundant)

UnderScan (470605) | more than 10 years ago | (#7036998)

From Portable OpenSSH [openssh.org]

Normal OpenSSH development produces a very small, secure, and easy to maintain version for the OpenBSD project. The OpenSSH Portability Team takes that pure version and adds portability code so that OpenSSH can run on many other operating systems (Unfortunately, in particular since OpenSSH does authentication, it runs into a *lot* of differences between Unix operating systems). ...

Reasons not to use PAM (0)

Anonymous Coward | more than 10 years ago | (#7036949)

1. It's bug-riddled
2. It's got a girls name
3. .....
4. Profit!

Or something like that.

Re:Reasons not to use PAM (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7037128)

AHAHAHAHAHAHHAHAHAHAHAHAHAHHAAAAAAAAAAAAAHAHAHAHAH AHAHA

--
Lameness filter encountered. Post aborted!
Reason: Don't use so many caps. It's like YELLING.

... I got a strange feeling thus ... (0)

Anonymous Coward | more than 10 years ago | (#7036953)

... I'll wait for 3.7.2 ...

Good Times (1)

FrozenDownload (687199) | more than 10 years ago | (#7036956)

Ahh, the joys of another afternoon spent patching boxes. I guess it is better than waiting for a vendor to come up with a patched binary package.

Re:Good Times (2, Interesting)

satch89450 (186046) | more than 10 years ago | (#7037084)

Ahh, the joys of another afternoon spent patching boxes. I guess it is better than waiting for a vendor to come up with a patched binary package.

When I heard there was a second patched version last week, I said to myself that these things come in threes, and that I would wait for "the next round." So much for updating 50 boxes more than once.

Will the third time be the charm, or should I avoid being on the bleeding edge and wait for next week's discoveries?

(At least it isn't like the Microsoft patches, which come at less frequent intervals and usually do more damage to my apps than the protection is worth. -- Obligatory Microsoft Bash)

A better solution (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7036957)

A better solution is to upgrade to Software Libre's offering of lsh [lysator.liu.se] -- a more secure, more Free as in Freedom implementation of the SSH protocol.

Re:A better solution (1, Informative)

Anonymous Coward | more than 10 years ago | (#7037024)

What, you mean the same lsh that was just exploited two days ago [slashdot.org] ?

Frankly, I think you'd have better luck searching the web for 'ssh'. [verisign.com]

Re:A better solution (3, Insightful)

sqlrob (173498) | more than 10 years ago | (#7037063)

More secure? [slashdot.org]

PAM is not in by default (4, Informative)

Anonymous Coward | more than 10 years ago | (#7036964)

Before we all panic, note that PAM is not in the default build.

It's also not in slackware builds (thanks Patrick).

JEBUS (2, Insightful)

tempest303 (259600) | more than 10 years ago | (#7036987)

This is getting ridiculous. Maybe it's time for OpenSSH development to completely halt for the moment, and do some serious auditing? This is just plain sad... I know people have been joking about switching to lsh, but at a current "score" of 3 to 1, I'm starting to consider it, at least for the time being... :-/

Re:JEBUS (0)

Anonymous Coward | more than 10 years ago | (#7037050)

Sure, go ahead I'm sure you'll be a lot better off!

http://www.securityfocus.com/archive/1/338354/20 03 -09-20/2003-09-26/0

Re:JEBUS (1)

tempest303 (259600) | more than 10 years ago | (#7037209)

RTFP: like I said, the "current score" of recent vulnerabilities of ssh vs lsh is 3 to 1. I was accounting for that vulnerability already. :P

Re:JEBUS (5, Insightful)

Kalzus (86795) | more than 10 years ago | (#7037065)

Arguably, this announcement *is* the result of an increase in code vetting on the part of the portable OpenSSH team. Just a thought.

Re:JEBUS (1)

tempest303 (259600) | more than 10 years ago | (#7037248)

Possibly. Perhaps I'm ignorant on the topic, but with auditing, shouldn't they put the vulnerability reports on hold for a short time, especially when there's so many in a row, and just do a sort of "service pack" upgrade?

Maybe there is no answer, I don't know. At least they get the patches out quickly.

Re:JEBUS (0)

Anonymous Coward | more than 10 years ago | (#7037223)

Two theoretical exploits and one potentially real one, vs a root exploit in your bugtraq inbox?
And you'd rather they waited until they'd audited the entire code a few hundred times until they sent out patches?
Moron.

Lemonparty! (0)

Anonymous Coward | more than 10 years ago | (#7036988)

[anonymous@coward home]$ ssh -V
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702

Re:Lemonparty! (0)

Anonymous Coward | more than 10 years ago | (#7037047)

[anonymous@coward src]$ ssh -v
OpenSSH_3.2p1 root_me_now_build, SSH protocols 1.5/2.0, OpenSSL 0x0090701f

YOU'RE EXPLOITABLE!!!!!!!!!! (0)

Anonymous Coward | more than 10 years ago | (#7037085)

You should switch to \/\/ind0w5! (0, Funny)

Anonymous Coward | more than 10 years ago | (#7037022)

Because you can have it notify you and update all these things automatically and not even worry about any of this stuff. It's real simple, too. All you do it check "automatic updates" and it works! Then there are no more problems. No worms. No exploits. Your box is secure. 4m4zin6!

Just like MS then. (1, Insightful)

clard11 (468002) | more than 10 years ago | (#7037027)

So how is this different to MS having multiple attempts to resolve their security bugs ? I don't see a difference. Doesn't this prove that closed or OSS, security code is a difficult software engineering challange ? Maybe slashdotters should cut MS some slack in this area.

Re:Just like MS then. (0)

Anonymous Coward | more than 10 years ago | (#7037124)

Yeah because the OpenBSD developers have an illegal monopoly on Operating Systems? This is an application vuln, when Microsoft bundle MediaPlayer, Explorer and friends as a way of leveredging their monopoly they sure as hell deserve everything they get for shipping sloppy code.

Re:Just like MS then. (1)

clard11 (468002) | more than 10 years ago | (#7037172)

I'm not defending MS monopolistic position, and I look forward to a day when Linux desktops are the standard. I just think we should be a little humble about the difficulties involved.

Re:Just like MS then. (1)

BlowChunx (168122) | more than 10 years ago | (#7037187)

It is different because they (the OpenSSH team) announce bugs when they find them, not once a week.

And you definitely won't get a spoofed email purporting to be from the OpenSSH guys to apply a "patch" that infects your machine!

Re:Just like MS then. (1)

clard11 (468002) | more than 10 years ago | (#7037210)

...but in a linux desktop future you think the worm, trojan and virus writers are going to give up and go home with their tails between their legs ? I don't think so dude. And it's not a great leap to imagine a spoofed email from RedHat arriving in your inbox.

our new motto. (0)

Anonymous Coward | more than 10 years ago | (#7037038)

what do you wanne patch today?

Told you so (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7037039)

I knew it! Ha ha ha.

OpenSSH in RedHat 9 and others (5, Informative)

avij (105924) | more than 10 years ago | (#7037045)

The RH-supplied latest OpenSSH (3.5p1-11) doesn't seem to accept the "UsePam no" directive that was suggested as a workaround, so if you go ahead and add that line to your /etc/ssh/sshd_config and say "service sshd restart", SSH will complain about an invalid configuration option and refuse to start. Just for your information..

Re:OpenSSH in RedHat 9 and others (3, Informative)

ZerothAngel (219206) | more than 10 years ago | (#7037081)

Well, the advisory states that "Older versions of portable OpenSSH are not vulnerable." So it's probably not much of a worry anyway.

Re:OpenSSH in RedHat 9 and others (1)

the_quark (101253) | more than 10 years ago | (#7037092)

...And, of course, if SSH refuses to start, no one can use it to login into your system without authorization! Problem solved!

Re:OpenSSH in RedHat 9 and others (0)

Anonymous Coward | more than 10 years ago | (#7037109)

That now problem is only for 3.7.1p1 (3.7.1 portable), if you're using 3.5p1... guess what!?!?

OK, you're smart: you don't need to patch!

Re:OpenSSH in RedHat 9 and others (1)

Repugnant_Shit (263651) | more than 10 years ago | (#7037114)

Which may mean
1) That option isn't available and your system is in danger
2) OpenSSH wasn't compiled against PAM, so you don't have to worry.

That sounds right to me.

Re:OpenSSH in RedHat 9 and others (4, Informative)

virtual_mps (62997) | more than 10 years ago | (#7037117)

More importantly, the problem only affects OpenSSH 3.7p and 3.7.1p, so adding "UsePam no" to a 3.5p installation is unnecessary.

Case matters (1)

SkimTony (245337) | more than 10 years ago | (#7037147)

The directive should be:
"UsePAM no"

Case matters.

Re:Case matters (2, Insightful)

avij (105924) | more than 10 years ago | (#7037226)

Um, no.

man sshd: keywords are case-insensitive and arguments are case-sensitive, meaning that usepam and UsePam and UsePAM are equivalent.

Re:OpenSSH in RedHat 9 and others (3, Informative)

Eric Seppanen (79060) | more than 10 years ago | (#7037166)

According to Redhat Bugzilla bug 104917 [redhat.com] , Red Hat has never shipped openssh 3.7, so they're not vulnerable to this. No workaround or fix is needed.

Re:OpenSSH in RedHat 9 and others (1)

astroboy (1125) | more than 10 years ago | (#7037222)

The RH-supplied latest OpenSSH (3.5p1-11) doesn't seem to accept the "UsePam no" directive that was suggested as a workaround, so if you go ahead and add that line to your /etc/ssh/sshd_config and say "service sshd restart", SSH will complain about an invalid configuration option and refuse to start.

And thus, an effective workaround.

RedHat boxes are safe (4, Informative)

menscher (597856) | more than 10 years ago | (#7037075)

Just to alleviate some of the panic, RedHat boxes are safe [redhat.com] .

Re:RedHat boxes are safe (0)

Anonymous Coward | more than 10 years ago | (#7037164)

As far as I can tell, all Debian releases are safe too since they use older versions with back-ported security fixes.

Re:RedHat boxes are safe (2, Informative)

Jhon (241832) | more than 10 years ago | (#7037221)

Is that accurate? I read that as saying "With the version shipped with RH and RH Enterprise" -- which is an OLDER version. Doesn't that mean that if an RH user has updated SSH to a newer version, they are vulnerable?

When will it end? (3, Funny)

Dr. Bent (533421) | more than 10 years ago | (#7037078)

This vulnerability apparently has to do with PAM

When will people learn that non-stick cooking spray causes more harm than good? Unneeded fat, calories and remote root exploits are just some of the problems caused by these unsavory products. For god's sake, people...there are better ways to dissipate heat and prevent sticking and burning. For one, turn that CPU clock speed down! Just because you can fry an egg on your motherboard, doesn't mean you should! That's what the CD-ROM drive is for!

Re:When will it end? (0)

Anonymous Coward | more than 10 years ago | (#7037137)

When will people learn that non-stick cooking spray causes more harm than good? Unneeded fat, calories and remote root exploits are just some of the problems caused by these unsavory products. For god's sake, people...there are better ways to dissipate heat and prevent sticking and burning. For one, turn that CPU clock speed down! Just because you can fry an egg on your motherboard, doesn't mean you should! That's what the CD-ROM drive is for!

So now you're saying I shouldn't spray my CPU with non-stick cooking spray?

Do I need to upgrade? (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#7037082)

OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f

It's her fault! (1)

devphaeton (695736) | more than 10 years ago | (#7037088)

This vulnerability apparently has to do with PAM,

Yeah, I always blame my problems on the chick too ;)

(kekekeke)

Where are they? (0)

Anonymous Coward | more than 10 years ago | (#7037112)

Okay, a bunch of posts already, but where are all the "*BSD is dying" trolls now? OpenBSD got it right, but porting to Linux and other OSes screwed up.

Not the way to compete with MS (1, Funny)

narratorDan (137402) | more than 10 years ago | (#7037134)

OSS should compete with features and security not number of exploits and patches.

On second thought, maybe more patches will make IT managers think that OSS=MS in quality and will begin to use OSS more because it is as good as MS.

NarratorDan

As usual.... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7037142)

Debian users will be exploitable. This is because debian uses so called "stable" (even in "unstable") obsolete versions of programs that are swiss cheese for security. Don't tell me about backporting, because you know what they say, you can't polish a turd.

This post is gaurenteed a -1, when going s/debian/microsoft/g would get +5, insightful. Remember to metamod unfair.

I suposse... (1)

Draco_es (628422) | more than 10 years ago | (#7037146)

...that OpenBSD is not vulnerable because it doesn't use PAM itself. It uses BSD-auth(imported from BSD/OS I think) as its authentication system.

The advisory says that PAM should be disabled by default. I think that it isn't a very realistic petition. Most of (medium|large)-scale Unix/linux deployments depends on pam modules like pam_ldap, pam_krb, etc...

Only.... (0, Flamebait)

222 (551054) | more than 10 years ago | (#7037150)

X+1 holes in the default install in over 7 years!
Its a joke people.....

Apple affected? (1)

toupsie (88295) | more than 10 years ago | (#7037158)

Apple just came out with Mac OS X update 10.2.8 which fixed the last OpenSSH exploit. Does anyone know if that updates also covers the new exploit mentioned here? Or should I expect 10.2.9 in a few days?

Only (0)

Anonymous Coward | more than 10 years ago | (#7037165)

Only 2 remote holes in the last 2 weeks.

Re:Only (0)

Anonymous Coward | more than 10 years ago | (#7037262)


Neither has been shown to be exploitable in the default OpenBSD install, fucktard.

The Need for Open Source Watchdogs (3, Interesting)

TheCRE (710241) | more than 10 years ago | (#7037175)

In light of the recent CERT/CC advisories regarding security vulnerabilities in the Sendmail and OpenSSH programs (even before the problems with new release of portable Open SSH) the Center for Regulatory Effectiveness' WatchDog Watch discussed the need for open source watchdogs. Please see, www.thecre.com/wdw/20030922_open_source.html Winston Security Director, WatchDog Watch

Time for less windows bashing? (1, Offtopic)

SteWhite (212909) | more than 10 years ago | (#7037190)

Note: This post is not intended as a troll or flamebait, I'm merely stating my opinion, which is this:

When this kind of thing can happen with such important and widely used open source software, I think people should take a moment to consider being more lenient towards Microsoft and their endless patches.

I'm not saying that MS products are in any way more secure than their OSS equivalents, indeed they are most likely less secure, but we need to remember that theirs are not the only insecure programs in the world. Take heed people.

Is the default config file safe? (1)

jqh1 (212455) | more than 10 years ago | (#7037196)

I'm using pretty much the default config file, and I've never intentionally enabled PAM. Here's what the PAM part looks like:

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes

If you have to uncomment out that line to enable PAM authentication, then *not* uncommenting it is equivalent to setting it to "no" (like the advisory says to do) yes? The advisory does appear to mention this default, explicitly anyway...

[sorry to ask what may be the obvious, but weeks fall off my probable lifespan whenever I'm messing with sshd on a remote server, and I'd sure like to avoid it if I can]

New Motto (4, Funny)

Greyfox (87712) | more than 10 years ago | (#7037199)

15^H^H10 minutes without a remote root exploit!

Yippee! (4, Funny)

mrpuffypants (444598) | more than 10 years ago | (#7037244)

oooh! Patching every other day is fun!

This is just like being a MCSE! Now I can hang out with the NT guys and chat about patching!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...