Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT sources DOT redhat DOT com Delivered-To: mailing list cygwin AT sources DOT redhat DOT com Date: Mon, 12 Feb 2001 14:42:10 -0700 From: Mark Paulus Subject: Re: Authentication By-Pass Vulnerability in OpenSSH 2.3.1 (devel snapshot) (fwd) In-reply-to: <20010209084018.C4880@cygbert.vinschen.de> To: Corinna Vinschen Reply-to: Mark Paulus Message-id: <0G8N00K1EYX7YD@pmismtp04.wcomnet.com> MIME-version: 1.0 X-Mailer: PMMail 2000 Professional (2.10.2010) For Windows 2000 (5.0.2195;1) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Priority: Normal Do I need to do this, if I only use the ssh client?? I had a problem with 2.3.0p1, where it wouldn't connect to my machine @ home through my Netgear router/firewall. However, the latest snapshot I downloaded allows me to connect. I don't want to back off and lose my ability to connect unless you are going to kill me if I don't. On Fri, 09 Feb 2001 08:40:18 +0100, Corinna Vinschen wrote: >FYI for those running snapshots. I have removed the openssh-20010202 >snapshot from cygwin/latest. > >If you are using the openssh-20010202 snapshot PLEASE REVERT BACK TO >openssh-20001221 OR openssh-2.3.0p1.!!! > >Corinna > >---------- Forwarded message ---------- >Date: Thu, 08 Feb 2001 18:15:00 -0500 >From: Niels Provos >To: security-announce AT openbsd DOT org >Subject: Authentication By-Pass Vulnerability in OpenSSH 2.3.1 (devel > snapshot) > >---------------------------------------------------------------------------- > > OpenBSD Security Advisory > > February 8, 2001 > > Authentication By-Pass Vulnerability in OpenSSH-2.3.1 > >---------------------------------------------------------------------------- > >SYNOPSIS > >OpenSSH-2.3.1, a development snapshot, only checked if a public key >for public key authentication was permitted. In the protocol 2 part >of the server, the challenge-response step that ensures that the >connecting client is in possession of the corresponding private key >has been omitted. As a result, anyone who could obtain the public key >listed in the users authorized_keys file could log in as that user >without authentication. > >A fix for this problem was committed on Februrary 8th. The problem >was introduced on January 18th. This is a three week time window. > >---------------------------------------------------------------------------- > >AFFECTED SYSTEMS > >This vulnerability affects only OpenSSH version 2.3.1 with support for >protocol 2 enabled. The latest official release OpenSSH 2.3.0 is not >affected by this problem. The latest snapshot version OpenSSH 2.3.2 >is not affected either. > >---------------------------------------------------------------------------- > >RESOLUTION > >If you installed the OpenSSH 2.3.1 development snapshot, install the >latest snapshot. Currently, the latest snapshot is OpenSSH 2.3.2 which >is available via http://www.openssh.com/. > >---------------------------------------------------------------------------- > > >-- >Want to unsubscribe from this list? >Check out: http://cygwin.com/ml/#unsubscribe-simple > -- Want to unsubscribe from this list? Check out: http://cygwin.com/ml/#unsubscribe-simple