Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Fwd: LSH: Buffer overrun and remote root compromise in lshd]

0 views
Skip to first unread message

Oliver Eikemeier

unread,
Sep 20, 2003, 2:19:24 PM9/20/03
to
Hi Ports,

port security/lsh 1.5.2 has a remote root compromise,
it seems that even the client part is affected.
Either someone upgrades it to 1.5.3 or we mark it as
broken for 4.9.

The announcement is at:
<http://lists.lysator.liu.se/pipermail/lsh-bugs/2003q3/000127.html>

Regards
Oliver

-------- Original Message --------
Subject: LSH: Buffer overrun and remote root compromise in lshd
Date: 20 Sep 2003 10:58:55 +0200
From: ni...@lysator.liu.se (Niels M=C3=B6ller)

A security hole of the worst kind have been found in lshd. All
versions up to 1.4.2 and all versions in the 1.5.x series up to 1.5.2
are affected.

The primary threat is remote root compromise of the lshd server. Some
exploits programs have been published. It is also likely that a
malicious ssh server can exploit the lsh client.

All users of lsh servers and clients are strongly advised to upgrade
to 1.4.3 (stable) or 1.5.3 (development version, with the usual
caveats), and to immediately disable lshd service until the program
is upgraded.

For further details and instructions, see the [...] announcement of
the new versions. [...]

Regards,
/Niels


_______________________________________________
freebs...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-port...@freebsd.org"

Will Andrews

unread,
Sep 20, 2003, 2:21:05 PM9/20/03
to
On Sat, Sep 20, 2003 at 08:18:50PM +0200, Oliver Eikemeier wrote:
> port security/lsh 1.5.2 has a remote root compromise,
> it seems that even the client part is affected.
> Either someone upgrades it to 1.5.3 or we mark it as
> broken for 4.9.
>
> The announcement is at:
> <http://lists.lysator.liu.se/pipermail/lsh-bugs/2003q3/000127.html>

Feel free to upgrade the port, it has portmgr approval.

Regards,
--
wca

Oliver Eikemeier

unread,
Sep 20, 2003, 4:25:24 PM9/20/03
to
Will Andrews wrote:

> On Sat, Sep 20, 2003 at 08:18:50PM +0200, Oliver Eikemeier wrote:
>
>>port security/lsh 1.5.2 has a remote root compromise,
>>it seems that even the client part is affected.
>>Either someone upgrades it to 1.5.3 or we mark it as
>>broken for 4.9.
>>
>>The announcement is at:
>> <http://lists.lysator.liu.se/pipermail/lsh-bugs/2003q3/000127.html>
>
> Feel free to upgrade the port, it has portmgr approval.

This was just a heads up, Dirk dropped maintainership on 2003/02/23:
http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/lsh/Makefile.diff?r1=1.16&r2=1.17

Just mark it as broken.

Regards
Oliver

0 new messages