Jeremy T. Bouse(Jeremy.Bouse@UnderGrid.net)@2002.06.26 13:40:28 +0000:
Just be sure you read the full advisory and look deep into it and your own configuration. Recent news has come to light which appears that it is most *BSD OS flavors and those using BSD_AUTH and SKEY. Most often these are not enabled by default on non-BSD OSes.
according to several discussions that took part in the last 48 hours, the flaw fixed in 3.4 might also impact on systems using PAM for authenticating ssh logins; it appears to me that the involved group of researchers did not test operating systems other than the free *BSDs. CA-2002-18 has some more vendor specific information: http://www.cert.org/advisories/CA-2002-18.html sure, it's a critical bug, but one should not oversee the apache chunk handling vulnerability published in CA-2002-17 as it has been integrated into skr1ptk1dd13's "tools" already, apparently. depending on your site's policy you probably have tight restrictions on ssh access, but http is probably allowed from 0/0 so it might be even more critical. regards, /k --
[X] <-- nail here for new monitor WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 10x