MkLinux Security Update
[Posted July 3, 2002 by ris]
| From: |
| "David A. Gatwood" <dgatwood@gatwood.net> |
| To: |
| mklinux-announce@lists.apple.com |
| Subject: |
| MkLinux Security Update |
| Date: |
| Wed, 26 Jun 2002 17:47:15 -0700 (PDT) |
IMPORTANT: Read the install instructions before installing this upgrade.
Failure to do so will break ssh login capability.
MkLinux has just released a security upgrade for recent OpenSSH
vulnerabilities. This requires upgrading both OpenSSL and OpenSSH to
versions 0.9.6d and 3.4p1, respectively. These have been trivially
validated for basic operation. Some advanced features have not been fully
tested due to insufficient prior notice. This upgrade is strictly
use-at-your-own risk.
This upgrade fixes security holes in S/Key authentication and other
challenge-response authentication. Turning challenge-reponse support off
in the config file is a partial workaround that may be applied in lieu of
this update if you do not use that feature. However other security bugs
were also addressed in this update, so you should still upgrade if
possible.
Versions for MkLinux R1 and later are available now at
ftp://ftp.mklinux.org/pub/contrib/NOT_FOR_EXPORT/R1
Versions for MkLinux DR3 will be available when compilation completes at
ftp://ftp.mklinux.org/pub/contrib/NOT_FOR_EXPORT/DR3
Source RPMs can be found at
ftp://ftp.mklinux.org/pub/contrib/NOT_FOR_EXPORT
INSTALLATION NOTES:
WARNING: Failure to follow these notes will cause sshd to fail to start.
Before installing, as root, do the following:
R1 Instructions:
1. adduser sshd
2. mkdir /var/empty
DR3 Instructions:
1. use 'vipw' to add a user called sshd
2. mkdir /var/empty
----------------
The MkLinux Team
_______________________________________________
mklinux-announce mailing list | mklinux-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/mklinux-announce
Do not post admin requests to the list. They will be ignored.
