Updating OpenSSH from source
Dan Burcaw
yellowdog-general@lists.terrasoftsolutions.com
Wed Jun 26 16:44:01 2002
On Wed, 2002-06-26 at 15:37, Konstantin Riabitsev wrote:
> On Wed, 2002-06-26 at 17:18, Christopher Murtagh wrote:
> >
> > Here are simple instructions on how to update OpenSSH to the most
> > recent version (for those of use who do this sort of thing of course :-).
> > Updating to openssh-3.4 is *strongly* recommended, whether you do it via
> > source or RPM as there has been a vulnerability found that can lead to a
> > root compromise.
>
> Notably, Red Hat and YellowDog Linux are not affected.
>
> This vulnerability only exists if s/key auth or BSD_AUTH is enabled
> during compile time, which it isn't for RHL/YDL.
>
> If you feel ultra-paranoid, add these lines to your
> /etc/ssh/sshd_config:
>
> ChallengeResponseAuthentication no
>
> Although I've just looked at the openssh.spec in ydl-2.2 and s/key is
> NOT enabled, so there is no reason to panic. Upgrade whenever a new
> package is available.
Yes, you are correct. However, we're still putting out updates
rpms with the patches from the OpenBSD group...