Home | FAQ | Contact | Privacy Policy
US-CERT
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

 Other Documents
Technical Alerts

Technical Bulletins

Alerts

Security Tips

F-Secure Information for VU#157447

Date Notified
Date Modified04/20/2002 06:18:02 PM
Status SummaryNot Vulnerable

Vendor Statement

The F-Secure SSH versions 2.x - 3.x doesn't have UseLogin option, nor any means to use 'login' to perform user session setup. Since environmental variables are set only after we're running on user uid, we don't see other exploits of this sort either. Furthermore, administrator is able to control which environmental variables the client is able to set in ssh daemon config file.

The F-Secure SSH 1.x versions don't provide means for the client to set environmental variables on the server. Also, while a valid user is able to set environmental variables on the server via pubkey authentication options, these are actually not set in case of 'UseLogin' and use of 'login' to handle user logon.

US-CERT Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information