Privilege Separated OpenSSH 3.3
| Package(s): | openssh | CVE #(s): | |||||||||||||||||||||||||||||
| Created: | June 24, 2002 | Updated: | June 26, 2002 | ||||||||||||||||||||||||||||
| Description: | The release of OpenSSH
3.3 includes greatly improved support for privilege separation,
which is now enabled by default.
The process charged with talking to the network; now runs without privilege.
Upgrading is strongly recommended (see below).
Previously any corruption in the sshd could lead to an immediate remote root compromise if it happened before authentication, and to local root compromise if it happend after authentication. Privilege Separation will make such compromise very difficult if not impossible.
Or to put it into the words of Theo de Raadt: "Privilege Separation will one day save our asses." So, turn it on now. When upgrading with a 2.2.x kernel, disabling compression is recommended to avoid this bug which causes sshd to log a fatal mmap argument error then crash. Update: According to this OpenSSH Security Advisory OpenSSH 3.3 has a serious privilege escalation vulnerable. Please see the new vulnerability report for more information and a list of available alerts. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
Posted Jun 27, 2002 8:26 UTC (Thu)
by beejaybee (guest, #1581)
[Link]
C'mon guys I think we need this upgrade (together with the fixes in 3.4) Brian Beesley
One noticeable omission from this list - Red HatPrivilege Separated OpenSSH 3.3