OpenSSH Challenge-Response Buffer Overflow Vulnerabilities

Solution:
OpenSSH 3.4 has been released. Although it should contain the fix, administrators are still advised to enable privilege separation as a preventative measure.

The OpenSSH development team has stated that OpenSSH 3.2 (and later) servers configured to use the new privilege separation feature are not exploitable. Privilege separation was introduced in OpenSSH 3.2. Administrators of systems using earlier versions are *strongly* urged to upgrade to OpenSSH 3.2 or later and enable privilege separation. Privilege separation is enabled by default in OpenSSH 3.3.

Please see the references for more information.


IBM Linux Affinity Toolkit

HP HP-UX Secure Shell A.03.10

OpenSSH OpenSSH 1.2.2

OpenSSH OpenSSH 1.2.3

OpenSSH OpenSSH 2.1

OpenSSH OpenSSH 2.1.1

OpenSSH OpenSSH 2.2

OpenSSH OpenSSH 2.3

OpenSSH OpenSSH 2.5

OpenSSH OpenSSH 2.5.1

OpenSSH OpenSSH 2.5.2

OpenSSH OpenSSH 2.9

OpenSSH OpenSSH 2.9 p1

OpenSSH OpenSSH 2.9 p2

OpenSSH OpenSSH 2.9.9

OpenSSH OpenSSH 3.0

OpenSSH OpenSSH 3.0.1

OpenSSH OpenSSH 3.0.2 p1

OpenSSH OpenSSH 3.0.2

OpenSSH OpenSSH 3.1

OpenSSH OpenSSH 3.1 p1

OpenSSH OpenSSH 3.2

OpenSSH OpenSSH 3.3

OpenSSH OpenSSH 3.3 p1


 

Privacy Statement
Copyright 2010, SecurityFocus