Re: FreeBSD Security Advisory FreeBSD-SA-06:22.openssh
On Mon, Oct 02, 2006 at 02:25:05PM -0700, Colin Percival wrote:
> Theo de Raadt wrote:
> >> The OpenSSH project believe that the race condition can lead to a Denial
> >> of Service or potentially remote code execution
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > Bullshit. Where did anyone say this?
>
> The OpenSSH 4.4 release announcement says that, actually:
>
> * Fix an unsafe signal hander reported by Mark Dowd. The signal
> handler was vulnerable to a race condition that could be exploited
> to perform a pre-authentication denial of service. On portable
> OpenSSH, this vulnerability could theoretically lead to
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> pre-authentication remote code execution if GSSAPI authentication
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> is enabled, but the likelihood of successful exploitation appears
> remote.
Theo: Maybe you should put people in charge who can read their own
release announcements before flaming a mailing list.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 4 之 4 篇):