Professional Web Applications Themes

SSH on Solaris - Sun Solaris

Great, really great. Now there's no word from Sun about a patch for their SSH and SunFreeWare has no OpenSSH 3.7p1 offerings. Sun Security? Your on your own. P.S. I do know how to make my own Solaris packages, it's just a PITA....

  1. #1

    Default SSH on Solaris

    Great, really great. Now there's no word from Sun about a patch for
    their SSH and SunFreeWare has no OpenSSH 3.7p1 offerings.

    Sun Security? Your on your own.

    P.S. I do know how to make my own Solaris packages, it's just a PITA.
    Baby Guest

  2. #2

    Default Re: SSH on Solaris

    Baby Peanut wrote: 

    Btw, there are exploits in the wild already and our servers are
    getting hit... good idea to block outside access until you can
    get a patch ready.

    Chris Guest

  3. #3

    Default Re: SSH on Solaris

    "Baby Peanut" <com> wrote in message
    news:google.com... 

    Compile it on a box and tarball it... I upgraded 10 boxes last night in
    about 10 minutes.

    You can go back and fix it later if you used a package before.


    Kevin Guest

  4. #4

    Default Re: SSH on Solaris

    On Wed, 17 Sep 2003 11:36:51 -0500, Chris Cox wrote:
     
    >
    > Btw, there are exploits in the wild already and our servers are
    > getting hit... good idea to block outside access until you can
    > get a patch ready.[/ref]

    I was told by my supervisor who spent the last couple of days researching
    this that Sun's SSH package wasn't vulnerable to this latest OpenSSH
    vulnerability. I do realize SunSSH is based on OpenSSH.

    Please advise


    Patrick Guest

  5. #5

    Default Re: SSH on Solaris

    Kevin wrote: 
    >
    > Compile it on a box and tarball it... I upgraded 10 boxes last night in
    > about 10 minutes.[/ref]

    better do that again, 3.7.1 was released hours after 3.7 with more fixes.

    Oscar Guest

  6. #6

    Default Re: SSH on Solaris

     

    It is vulnerable as well.
    http://www.cert.org/advisories/CA-2003-24.html
    See "Appendix A: Vendor Information"

    Oscar Guest

  7. #7

    Default Re: SSH on Solaris

    In article <edu>,
    Patrick Zurek <edu> wrote: 
    >>
    >> Btw, there are exploits in the wild already and our servers are
    >> getting hit... good idea to block outside access until you can
    >> get a patch ready.[/ref]
    >
    >I was told by my supervisor who spent the last couple of days researching
    >this that Sun's SSH package wasn't vulnerable to this latest OpenSSH
    >vulnerability.[/ref]

    S/he's got access to the source code for Sun SSH?
     

    But diverged from it quite a way back now, it seems.

    It's a pity that OpenSSH isn't GPL'd, as then Sun would have to (I)
    make their source available.

    Chris Thompson
    Email: cet1 [at] cam.ac.uk
    Chris Guest

  8. #8

    Default Re: SSH on Solaris

    On Wed, 17 Sep 2003 11:36:51 -0500 Chris Cox <net> wrote: 
    >
    > Btw, there are exploits in the wild already and our servers are
    > getting hit... good idea to block outside access until you can
    > get a patch ready.[/ref]

    What exploits? The bug is not exploitable.

    /fc
    Frank Guest

  9. #9

    Default Re: SSH on Solaris

    Il giorno Wed, 17 Sep 2003, Frank Cusack così ha scritto:

    |On Wed, 17 Sep 2003 11:36:51 -0500 Chris Cox <net> wrote:
    |> Baby Peanut wrote:
    |>> Great, really great. Now there's no word from Sun about a patch for
    |>> their SSH and SunFreeWare has no OpenSSH 3.7p1 offerings.
    |>> Sun Security? Your on your own.
    |>> P.S. I do know how to make my own Solaris packages, it's just a PITA.
    |>
    |> Btw, there are exploits in the wild already and our servers are
    |> getting hit... good idea to block outside access until you can
    |> get a patch ready.
    |
    |What exploits? The bug is not exploitable.
    |

    According to some unconfirmed reports, it is:

    http://lists.netsys.com/pipermail/full-disclosure/2003-September/010103.html

    [Full-Disclosure] new ssh exploit?
    christopher neitzert com
    Mon, 15 Sep 2003 12:02:39 -0400

    * Previous message: [Full-Disclosure] ID tags in rental / high-priced
    retail suits?
    * Next message: [Full-Disclosure] new ssh exploit?
    * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    --=-kxxym9cla7LA1GuOlD1I
    Content-Type: text/plain
    Content-Transfer-Encoding: quoted-printable


    Does anyone know of or have source related to a new, and unpublished ssh
    exploit? An ISP I work with has filtered all SSH connections due to
    several root level incidents involving ssh. Any information is
    appreciated.





    --=20
    Christopher Neitzert - GPG Key ID: 7DCC491B

    --=-kxxym9cla7LA1GuOlD1I
    Content-Type: application/pgp-signature; name=signature.asc
    Content-Description: This is a digitally signed message part

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.2 (GNU/Linux)

    iD8DBQA/ZeKfAXFK233MSRsRAvOuAJ9IyBx5SYg95ChUCM98g2pDW7jbnQ CfXb0p
    d90mWbOnbWHMxDe4KGbFuQM=
    =HazQ
    -----END PGP SIGNATURE-----

    --=-kxxym9cla7LA1GuOlD1I--



    Sandro


    --
    Bellum se ipsum alet
    La guerra nutre se stessa

    Livio, Ab urbe condita, IV,9
    Alessandro Guest

  10. #10

    Default Re: SSH on Solaris

    Baby Peanut wrote: 

    Computers have no brain - use your own. Get and build the newest openssh
    release from openssh.org.

    BTW, Steve has all you need to know about making packages at
    sunfreeware.com and it's very easy. Even a Unix hand wringer can do it.
    Not needed if you build your own from the openssh source.

    dp

    Dennis Guest

  11. #11

    Default Re: SSH on Solaris

    Oscar del Rio <utoronto.ca> wrote in message news:<utoronto.ca>... 
    > >
    > > Compile it on a box and tarball it... I upgraded 10 boxes last night in
    > > about 10 minutes.[/ref]
    >
    > better do that again, 3.7.1 was released hours after 3.7 with more fixes.[/ref]

    And again too, 3.7.1p2 was released 23-Sep-2003.

    BTW free Sun security notifications:

    http://sunsolve.sun.com/pub-cgi/search.pl?mode=results&origin=advanced&range=20&so =date&coll=fsalert&zone_32=category:security

    If that link is too long it is also available via tinyurl.com

    http://tinyurl.com/nu5o
    Baby Guest

Similar Threads

  1. Replies: 5
    Last Post: December 30th, 11:30 PM
  2. solaris 10 zone / container question (or Solaris 9)
    By anna in forum Linux / Unix Administration
    Replies: 6
    Last Post: June 23rd, 04:24 PM
  3. dual booting Solaris 8 and Solaris 9
    By Nicole in forum Sun Solaris
    Replies: 4
    Last Post: September 5th, 11:03 AM
  4. Replies: 3
    Last Post: August 13th, 03:43 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139