|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
SuSE Inc. Information for VU#369347
| Date Notified: | 2002-06-24 |
| Date Updated: | |
| Statement Date: | |
| Status Summary: | Vulnerable |
Vendor Statement[F]urther details about the bugs in question have turned up by now, indicating that SuSE Linux products are not affected to the mentioned problem unless the administrator of an openssh installation has actively added the configuration option (PAMAuthenticationViaKbdInt) to the daemon configuration file /etc/ssh/sshd_config to turn this option on. In other words: We are not vulnerable by default.
We have quickly published update packages with the workaround as described in your announcement, but due to incompatibilities and errors in the newer package, we think about downgrading back to our 2.9.9p2 version packages as well as one newer version on one of our newer products. The decision about the downgrade has not been made yet, but we are positive about that we will publish another set of update packages that effectively remove the weakness from the package. After all, the currently offered packages for download from our ftp server (ftp://ftp.suse.com/pub/suse/i386/update/) represent an emergency fix that should be considered incomplete considering the quality standards at SuSE.Vendor InformationThe vendor has not provided us with any further information regarding this vulnerability.
AddendumSince the SuSE Linux distributions of OpenSSH is not vulnerable by default, sites with PAMAuthenticationViaKbdInt enabled are encouraged to turn it off until final complete packages are availlable.
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
 |
