l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2002 Jun 24 18:08

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] boy, was that fast!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] boy, was that fast!

Quoting Peter Jay Salzman (p@dirac.org):

> i was greeting with a big ol' news item saying a remote vulnerability
> (which is well on its way of being an exploit) was found in openssh.
> everyone is advised to upgrade to 3.3 immediately.
> did a "dselect update && apt-get upgrade" and the update was sitting
> there waiting for me.  pertty cool.

Yes, but beware that the new 3.3p1-0.0woody package is _not_ a real 
fix for the problem, in part because the details of the claimed exploit
haven't been released.  The portable-OpenSSH 3.3p1 release simply adds
a separation of code function between a master instance that runs as
root and non-root-authority instances that do practically all of the
work (and do so in chroot jails).  _Furthermore_, that function doesn't
get enabled unless and until you add a new line "UsePrivilegeSeparation
yes" to /etc/ssh/sshd_config and restart.  But there are disadvantages
to doing _that_.

It's all really strange.  Theo de Raadt put out a rather mysterious 
communique today saying that the OpenSSH team are putting together
details of a remote exploit against existing versions, but aren't
prepared yet to release details.  Meanwhile, they recommend upgrading to
3.3p1 or later and adding the new config line, but warn that, depending
on your platform, some ssh functions may break.

I've upgraded (on Debian woody), added the new line, and restarted.
So far, no problems.  For those on woody who don't yet have it, you
really ought to have a reference to the (fairly new) "testing" security 
package archive in your /etc/apt/sources.list :

deb http://security.debian.org/ testing/updates main contrib non-free

> ps- while i'm here, are there any *recommendations* of palm-desktop
> software?  

Heh.  Oddly enough, I've never used anything fancier than pilot-xfer,
but here's the largest collection of packages of and information on
_open-source_ PalmOS (and related) software to be found anywhere:

You might find something interesting in those dingy old textfiles
of mine.

> if i wanted to grow old and die waiting for software to load, i'd be
> using mozilla instead of opera.  ;) (j/k)

Galeon 1.2.5 does well for me -- and isn't proprietary.

Cheers,     "In 1993, the World-Wide Web was an infosystem based on hypertext.
Rick Moen    In 1994, the World-Wide Web was an infosystem based on hype."
rick@linuxmafia.com                                       -- Lars Aronsson
vox mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.