Martin Cracauer via plug on 1 Jul 2024 13:32:06 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] recent vulnerability in OpenSSH |
Alan D. Salewski via plug wrote on Mon, Jul 01, 2024 at 04:25:46PM -0400: > On 2024-07-01 16:21:40, "Alan D. Salewski via plug" <plug@lists.phillylinux.org> spake thus: > [...] > > This note from Damien Miller on the 'oss-security' list has a workaround plus > > patches: > > > > https://www.openwall.com/lists/oss-security/2024/07/01/2 > > I hit send too quickly; I meant to include djm's blurb about the workaround: > <quote> > Regarding the race condition fixed in OpenSSH 9.8. A mitigation to > prevent exploitation of this bug is to disable the login grace timer > by setting LoginGraceTime=0 in sshd_config. This will however make > it much easier for an attacker to deny service to sshd. > </quote> I might have to do that on my Mac. No update yet and sshd is in the base system. Have been hunting ssh demons all day. Is it normal for Debian's unattended updates to not work as expected? Martin -- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Martin Cracauer <cracauer@cons.org> http://www.cons.org/cracauer/ ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug