On Wed, 2002-06-26 at 09:52, Craig Kelley wrote: > On Wed, 26 Jun 2002, Dan Hollis wrote: > > > On Wed, 26 Jun 2002, Craig Kelley wrote: > > > I know you're all probably aware of this by now, but a serious hole is in > > > all versions of OpenSSH shipped with all versions of RedHat: > > > http://online.securityfocus.com/archive/1/278818/2002-06-23/2002-06-29/0 > > > > does any redhat ship with 'ChallengeResponseAuthentication yes' as > > default? > > It's commented out in 7.2 and 7.3, so I'm not sure what the default is. > > The 6.2 version is commented out, but the 'no' value is what is commented > out.... > According to some folks on Slashdot and Valhalla-list, they think Red Hat 7.x is not vulnerable to this exploit because it doesn't appear to have used that compile time option. Can anyone confirm this? _______________________________________________ Redhat-devel-list mailing list Redhat-devel-list@redhat.com https://listman.redhat.com/mailman/listinfo/redhat-devel-list
