Re: [Fwd: ISS Advisory: OpenSSH Remote Challenge Vulnerability]

2002-06-27 Thread Anthony DeRobertis
On Wed, 2002-06-26 at 14:59, Lupe Christoph wrote: > I've spent several hours updating left and right, and now this? > How shall I justify this to my client? I can't really charge for > falling for Theo. Seems I took a firm stand and bent over for him. See Wichert's message: <[EMAIL PROTECTED]>

Re: [Fwd: ISS Advisory: OpenSSH Remote Challenge Vulnerability]

2002-06-26 Thread Lupe Christoph
On Wednesday, 2002-06-26 at 18:14:35 +0200, Mark Janssen wrote: > >From what I understand, the advisory below is for the security issue > we've been buggering over for the last 2-3 days. > As I understand it, there is no need to upgrade to openssh 3.3 and use > priv-sep code, when we turn of the v

Re: [Fwd: ISS Advisory: OpenSSH Remote Challenge Vulnerability]

2002-06-26 Thread Greg Hunt
I don't see a better way of handling the OpenSSH announcement. More details or a patch would have allowed people to start writing exploits, at least they warned users of an upcoming bug and provided a work around. The OpenSSH team had to communicate with many vendors and eventually the details w

Re: [Fwd: ISS Advisory: OpenSSH Remote Challenge Vulnerability]

2002-06-26 Thread Anne Carasik
Hi Simon, This one time, [EMAIL PROTECTED] wrote: > I am a bit worried about the ssh advisories, not the actual package > itself (well, that too) but the way it was handled -- the openssh team > issued new versions of a package and a security advisory asking > everyone to update to the new package

Re: [Fwd: ISS Advisory: OpenSSH Remote Challenge Vulnerability]

2002-06-26 Thread simon+debian-security
I am a bit worried about the ssh advisories, not the actual package itself (well, that too) but the way it was handled -- the openssh team issued new versions of a package and a security advisory asking everyone to update to the new package, Debian and others jumped on it and sent the new version o

Re: [Fwd: ISS Advisory: OpenSSH Remote Challenge Vulnerability]

2002-06-26 Thread Anne Carasik
Hi Mark, From the OpenSSH web page: "At least one major security vulnerability exists in many deployed OpenSSH versions (2.9.9 to 3.3). Please see the ISS advisory, or our own OpenSSH advisory on this topic where simple patches are provided for the pre-authentication problem. Systems running with

[Fwd: ISS Advisory: OpenSSH Remote Challenge Vulnerability]

2002-06-26 Thread Mark Janssen
>From what I understand, the advisory below is for the security issue we've been buggering over for the last 2-3 days. As I understand it, there is no need to upgrade to openssh 3.3 and use priv-sep code, when we turn of the various challenge-response systems discussed below (BSD-AUTH and SKEY).