Security: upgrade BIND and SSH...

ME dugan at passwall.com
Tue Jan 30 09:38:21 PST 2001


Just a reminder to those of you that have not yet subscribed to a security
list like BUGTRAQ:

New versions of SSH and BIND are out there. Risk for the BIND exploit are
decreased when running in a chrooted env, and bind uses non-root GID and
UID.

Information cut and pasted from sources below:
(Now migt be a good time to upgrade if you use something earlier than BIND
8.2.3 or SSH 1.2.31).

Enjoy!
-ME

----

New Version of BIND: (Jan 26, 2001)
http://www.isc.org/products/BIND/bind-security.html
(From their web site)

Name:              "tsig bug"
Versions affected:  8.2, 8.2-P1, 8.2.1, 8.2.2-P1, 8.2.2-P2, 8.2.2-P3,
                    8.2.2-P4, 8.2.2-P5, 8.2.2-P6, 8.2.2-P7, and all
                    8.2.3-betas
Exploitable:        Remotely
Type:               Access possible.
Description:        It is possible to overflow a buffer handling TSIG
                    signed queries, thereby obtaining access to the
                    system. 
Workarounds:        None. 
Active Exploits:    Exploits for this bug exist. 

-----

New version of SSH: (Jan 19,2001)
ftp://ftp.ssh.com/pub/ssh/
(From the Change Log)
2000-10-17  Sami J. Lehtinen  <sjl at ssh.com>

        * Fixed an attack against the initial key exchange with server
          and host keys with public exponent of 1. Added warning about
          the attack, known as false-split.




More information about the talk mailing list