anoncvs3.usa.openbsd.org is down due to a disk failure, it should

be back up in a day or two.
 - todd

This is the 4th revision of the Advisory.
This document can be found at:  http://www.openssh.com/txt/preauth.adv
1. Versions affected:
        Serveral versions of OpenSSH's sshd between 2.3.1 and 3.3

        contain an input validation error that can result in an

        integer overflow and privilege escalation.
        All versions between 2.3.1 and 3.3 contain a bug in the

        PAMAuthenticationViaKbdInt code.
        All versions between 2.9.9 and 3.3 contain a bug in the

        ChallengeResponseAuthentication code.
        OpenSSH 3.4 and later are not affected.
        OpenSSH 3.2 and later prevent privilege escalation if

        UsePrivilegeSeparation is enabled in sshd_config.  OpenSSH

        3.3 enables UsePrivilegeSeparation by default.
        Although some earlier versions are not affected upgrading

        to OpenSSH 3.4 is recommended, because OpenSSH 3.4 adds

        checks for a class of potential bugs.
2. Impact:
        This bug can be exploited remotely if

		ChallengeResponseAuthentication

	is enabled in sshd_config.  This option is enabled

	by default on OpenBSD and other systems.
        Affected are at least systems supporting s/key over

        SSH protocol version 2 (OpenBSD, FreeBSD and NetBSD

        as well as other systems supporting s/key with SSH).

        Exploitablitly of systems using

		PAMAuthenticationViaKbdInt

	has not been verified.
3. Short-Term Solution:
        Disable ChallengeResponseAuthentication in sshd_config.
	and
	Disable PAMAuthenticationViaKbdInt in sshd_config.
	Alternatively you can prevent privilege escalation

	if you enable UsePrivilegeSeparation in sshd_config.
4. Solution:
	Upgrade to OpenSSH 3.4 or apply the following patches.
5. Credits:
	ISS.
6. Release Process:
	Information release was handled in the following way:
	a. We alerted the community via a number of news sites and large

	   public mailing lists that a major security issue was coming,

	   and that they...
[ message continues ]

Portable OpenSSH 3.7.1p2  has just been released. It will be available

from the mirrors listed at http://www.openssh.com/portable.html shortly.
Please note that this is a release to address issues in the portable

version only. The items mentioned below do not affect the OpenBSD

version.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0

implementation and includes sftp client and server support.
We would like to thank the OpenSSH community for their continued

support to the project, especially those who contributed source and

bought T-shirts or posters.
We have a new design of T-shirt available, more info on

        http://www.openbsd.org/tshirts.html#18
For international orders use http://https.openbsd.org/cgi-bin/order

and for European orders, use http://https.openbsd.org/cgi-bin/order.eu
Security Changes:

=================
  Portable OpenSSH version 3.7p1 and 3.7.1p1 contain multiple

  vulnerabilities in the new PAM authentication code. At least one of

  these bugs is remotely exploitable (under a non-standard

  configuration, with privsep disabled).
  OpenSSH 3.7.1p2 fixes these bugs. Please note that these bugs do not

  exist in OpenBSD's releases of OpenSSH.
Changes since OpenSSH 3.7.1p1:

==============================
* This release disables PAM by default. To enable it, set "UsePAM yes" in

  sshd_config. Due to complexity, inconsistencies in the specification and

  differences between vendors' PAM implementations we recommend that PAM

  be left disabled in sshd_config unless there is a need for its use.

  Sites using only public key or simple password authentication usually

  have little need to enable PAM support.
* This release now requires zlib 1.1.4 to build correctly. Previous

  versions have security problems.
* Fix compilation for versions of OpenSSL before 0.9.6. Some cipher modes

  are not supported for older OpenSSL versions.
* Fix compilation problems on systems with a missing or lacking inet_ntoa()

  functio...
[ message continues ]