On Fri, Sep 21, 2001 at 12:31:12PM +0300, Rumen Telbizov wrote: > I tried the above vunlarability on 2 FreeBSD 4.3-RELEASE > boxes and it worked out! I tried this on one Linux RH6.2 box > with OpenSSH installed on it and it DID NOT work. This latest vulnerability is specific to systems that have implemented the BSD authentication class scheme. So, as far as I know, the only systems that could be vulnerable to this particular problem are BSDi, FreeBSD, OpenBSD, and possibly NetBSD.[1] So far, there have been confirmations of FreeBSD vulnerability, a compellingly good description of why OpenBSD is not vulnerable, and (as far as I remember) no feedback from BSDi or NetBSD. Until Linux distributors start shipping BSD authentication support, Linux users ought to remain pretty safe from this problem. (With the exception of BSDi, I doubt any other commercial unix-like or unix vendors ship the BSD authentication stuff. As always, ask your vendor for details. :) Cheers! :) [1]: My apologies to our NetBSD friends; I promise I'll give NetBSD a test drive someday. :)
