On 26 Jun 2002, Warren Togami wrote: > On Wed, 2002-06-26 at 09:52, Craig Kelley wrote: > > On Wed, 26 Jun 2002, Dan Hollis wrote: > > > > > On Wed, 26 Jun 2002, Craig Kelley wrote: > > > > I know you're all probably aware of this by now, but a serious hole is in > > > > all versions of OpenSSH shipped with all versions of RedHat: > > > > http://online.securityfocus.com/archive/1/278818/2002-06-23/2002-06-29/0 > > > > > > does any redhat ship with 'ChallengeResponseAuthentication yes' as > > > default? > > > > It's commented out in 7.2 and 7.3, so I'm not sure what the default is. > > > > The 6.2 version is commented out, but the 'no' value is what is commented > > out.... > > > > According to some folks on Slashdot and Valhalla-list, they think Red > Hat 7.x is not vulnerable to this exploit because it doesn't appear to > have used that compile time option. > > Can anyone confirm this? According to the CERT advisory the version shipped with RHL 7.x is NOT vulnerable. We can all go back to sleep now!! :-) -- .............Tom "Nothing would please me more than being able to tdiehl@rogueind.com hire ten programmers and deluge the hobby market with good software." -- Bill Gates 1976 We are still waiting .... _______________________________________________ Redhat-devel-list mailing list Redhat-devel-list@redhat.com https://listman.redhat.com/mailman/listinfo/redhat-devel-list
