similar to: Simon Wilkinson's GSS-API patch

A few weeks ago, we upgraded our Red Hat 7.3 and 9 machines to OpenSSH 3.6.1p2 w/ the corresponding version of Simon's GSSAPI patch. All the expected functionality seems to be there: I can ssh/scp/sftp via Kerberos tickets or local password. However, I seem to be getting a new error message in my logs: For Red Hat 7.3: Message from syslogd at gallifrey at Thu Oct 2 17:24:12 2003 ...

I am trying to compile OpenSSH 4.0p1 on a new Solaris 10 system using the OpenSSL that comes w/ the OS (0.9.7d) as well as MIT Krb5 1.4.1 (for various reasons we are not using Sun's Krb5 implementation): ./configure --prefix=/usr/local --with-kerberos5=/usr/local/krb5 --with-ssl-dir=/usr/sfw And it looks to be bombing here (adding in random support?): -=- gmake[1]: Entering directory

What does mean this bizarre msgid? maillog: Mar 31 19:31:15 cu sm-mta[5352]: h2VFVEGS005352: from=<nb@sindbad.ru>, size=1737, class=0, nrcpts=1, msgid=<!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAfp4Fa2ShPE2u4pP/QpPDIMKAAAAQAAAAj+zb4Isbuk+tYEPVF9Vf, proto=ESMTP, daemon=MTA, relay=wg.pu.ru [193.124.85.219] -- Nikolaj I. Potanin, SA http://www.drweb.ru ID

OK, an official OpenSSH advisory was released, see here: <URL: http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html > The fix is currently in FreeBSD -CURRENT and -STABLE. It will be applied to the security branches as well today. Attached are patches: buffer46.patch -- For FreeBSD 4.6-RELEASE and later buffer45.patch -- For FreeBSD 4.5-RELEASE and

Platform: Irix 6.5.16 OpenSSH 3.5p1 built with MIT Kerb5 v. 1.2.6, OpenSSL 0.9.6g Everything (privsep, ticket forwarding, etc) so far works like a charm. You guys do great work. -- ******************************************************* Quellyn L. Snead CCN-2 Enterprise Software Management Team Los Alamos National Laboratory Schedule B (505) 667-4185

In FreeBSD 5.x only telnet/telnetd works 'out of box' with kerberos. Why ftp/ftpd, ssh/sshd and cvs do not support kerberos ? Thanks!

This affects only 3.7p1 and 3.7.1p1. The advice to leave PAM disabled is far from heartening, nor is the semi-lame blaming the PAM spec for implementation bugs. I happen to like OPIE for remote access. Subject: Portable OpenSSH Security Advisory: sshpam.adv This document can be found at: http://www.openssh.com/txt/sshpam.adv 1. Versions affected: Portable OpenSSH versions 3.7p1

Hi Jacques, list, On Mon, Aug 11, 2003 at 09:09:18AM +0100, Bruce M Simpson wrote: > cc -c -O -pipe -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -ansi -g -nostdinc -I- -I. -I/usr/src/sys -I/usr/src/sys/../include -I/usr/src/sys/contrib/ipfilter -D_KERNEL -include opt_global.h -elf

please test Olaf Kirch's patch. it looks fine to me, but i don't to K5. i'd like to see this in the next release. thx -m -------------- next part -------------- --- openssh-3.4p1/auth-krb5.c.krb Sun Jun 9 21:41:48 2002 +++ openssh-3.4p1/auth-krb5.c Tue Jul 23 15:15:43 2002 @@ -73,18 +73,17 @@ * from the ticket */ int -auth_krb5(Authctxt *authctxt, krb5_data *auth, char

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:07.sendmail Security Advisory The FreeBSD Project Topic: a second sendmail header parsing buffer overflow Category: contrib Module:

In regards to FreeBSD-SA-03:05.xdr, does anyone know which static binaries or tools under /bin or /sbin actually use that problem code? The recent XDR fixes the xdrmem_getlong_aligned(), xdrmem_putlong_aligned(), xdrmem_getlong_unaligned(), xdrmem_putlong_unaligned(), xdrmem_getbytes(), and/or xdrmem_putbytes() functions, but it is difficult to know what uses these (going backwards manually).

In http://docs.freebsd.org/cgi/mid.cgi?200402260743.IAA18903 it seems RELENG_4 is vulnerable. Is there any work around to a system that has to have ports open ? Version: 1 2/18/2004@03:47:29 GMT >Initial report > <<https://ialert.idefense.com/KODetails.jhtml?irId=207650>https://ialert.idefense.com/KODetails.jhtml?irId=207650; >ID#207650: >FreeBSD Memory Buffer

Any reason why portaudit and its associated infrastructure was not announced to this list or security-notifications? I recently discovered it, and discovered the feature was added to bsd.port.mk in the beginning of feburary. Seeing as the security officer apparently (without announcement) no longer issues security notices (SNs) for ports, I am assuming that portaudit has replaced SNs entirely,

Hello, The current png-1.2.5_4 port has no more vulnerability. It has been corrected by ache@FreeBSD.org yesterday. But when i try to install the updated port to remplace the vulnerable one this is what i am told : # make install ===> png-1.2.5_4 has known vulnerabilities: >> libpng denial-of-service. Reference:

Hello Everyone, You may have seen the recent announcement regarding new OpenSSL vulnerabilities. <URL: http://www.openssl.org/news/secadv_20030930.txt > Just thought I'd drop a line to head off the usual questions. :-) Don't panic. The vulnerability is denial-of-service. OpenSSL 0.9.7c will be imported into -CURRENT and -STABLE over the next couple of days, and included

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:08.realpath Security Advisory The FreeBSD Project Topic: Single byte buffer overflow in realpath(3) Category: core Module: libc Announced:

It seems (at least for me) the patches on ftp.freebsd.org are out of date for the 03:12 security advisory (openssh). ftp2.freebsd.org has them fine. I'm wondering if this is a mirror issue or perhaps round-robin DNS problem? What compounds the issue is that right now the old openssh 3.7 patches are there (on ftp.freebsd.org), but not the 3.7.1 patches (which can be found on

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:18.openssl Security Advisory The FreeBSD Project Topic: OpenSSL vulnerabilities in ASN.1 parsing Category: crypto Module: openssl Announced:

You've probably already seen the latest sendmail vulnerability. http://lists.netsys.com/pipermail/full-disclosure/2003-September/010287.html I believe you can apply the following patch to any of the security branches: http://cvsweb.freebsd.org/src/contrib/sendmail/src/parseaddr.c.diff?r1=1.1.1.17&r2=1.1.1.18 Download the patch and: # cd /usr/src # patch -p1 < /path/to/patch #

You've probably already seen the latest sendmail vulnerability. http://lists.netsys.com/pipermail/full-disclosure/2003-September/010287.html I believe you can apply the following patch to any of the security branches: http://cvsweb.freebsd.org/src/contrib/sendmail/src/parseaddr.c.diff?r1=1.1.1.17&r2=1.1.1.18 Download the patch and: # cd /usr/src # patch -p1 < /path/to/patch #