Dear All,
As the situation is fairly fluid I'll issue another summary.
At present I believe there is nothing Tru64 users can do to fix the
OpenSSH vulnerability, because as far as I know nobody has managed to get the
privilege separation feature of OpenSSH 3.3p1 working. This applies
whether or not you have C2-security enabled.
However, things should improve next week. A news item at
www.openssh.org says "keep an eye out for the upcoming OpenSSH 3.4
release on Monday that fixes the vulnerability itself". So as of next
week you should be able to fix the bug without needing the privilege
separation feature.
Nevertheless, the privilege separation feature is highly desirable because it
protects you against bugs that have not yet been discovered. Chris
Adams reports that "the next release of OpenSSH will automatically
turn off privsep for the post authentication phase, so it should work
on all Tru64 with privsep enabled".
Thanks to the many people who have responded.
Regards,
Bob
--
==============================================================
Bob Vickers R.Vickers_at_cs.rhul.ac.uk
Dept of Computer Science, Royal Holloway, University of London
WWW: http://www.cs.rhul.ac.uk/home/bobv
Received on Wed Jun 26 2002 - 15:27:04 NZST