Due to a potentially major security hazard, ssh has been shut down on twistedmatrix.com until further notice. There has been a discovery of a remote root exploit, but Theo de Raadt has mysteriously refrained from actually providing evidence of this exploit or a patch to fix it. There is currently a half-solution to the exploit, but it requires breaking substantial amounts of functionality, and creating other administrative problems. Surprisingly (Theo's great, ain't he?) the workaround only works correctly on OpenBSD. Additionally, from what I understand, this does not prevent gaining access, only escalating privileges to root level. More information is here: http://lists.debian.org/debian-security-announce/debian-security-announce-20... Until some more information arrives about this, please use anonymous pserver access for check-outs from CVS, and mail me patches if you have anything you really want to get committed. (PGP signed, please.) I am currently working on a shell client and server for Twisted that we can use to work around problems with CVS. (Working title: TRASH, the Twisted Remote Access SHell). If you require shell access to Zaibach, I have installed telnetd-ssl. (Debian users: apt-get install telnet-ssl; this will replace your existing 'telnet' binary). -- | <`'> | Glyph Lefkowitz: Traveling Sorcerer | | < _/ > | Lead Developer, the Twisted project | | < ___/ > | http://www.twistedmatrix.com |
On Tue, 2002-06-25 at 06:26, Glyph Lefkowitz wrote:
If you require shell access to Zaibach, I have installed telnetd-ssl. (Debian users: apt-get install telnet-ssl; this will replace your existing 'telnet' binary).
note that zaibach also allows cleartext telnet. If you want to be sure you're not accidently using cleartext when you don't want to, start telnet with the "-z secure" flag. "you-mean-I-didn't-already-have-telnet-ssl-installed"-ly yours, Kevin
From: Glyph Lefkowitz <glyph@twistedmatrix.com> Subject: [Twisted-Python] Developer Security Notice Date: Tue, 25 Jun 2002 08:26:16 -0500 (CDT)
Due to a potentially major security hazard, ssh has been shut down on twistedmatrix.com until further notice. There has been a discovery of a remote root exploit, but Theo de Raadt has mysteriously refrained from actually providing evidence of this exploit or a patch to fix it.
More information has suddenly become available. The supar s1kr3t debian informant who contacted me with the information has informed me that (while not official yet) the compile options that Debian uses to build openssh don't make it vulnerable. Ah well, didn't finish 'trash' before I found out about this, so I'll be tabling that for a while (UNIX is hard, kids; don't try this at home.) -- | <`'> | Glyph Lefkowitz: Traveling Sorcerer | | < _/ > | Lead Developer, the Twisted project | | < ___/ > | http://www.twistedmatrix.com |
On Wed, Jun 26, 2002 at 11:06:21AM -0500, Glyph Lefkowitz wrote:
From: Glyph Lefkowitz <glyph@twistedmatrix.com> Subject: [Twisted-Python] Developer Security Notice Date: Tue, 25 Jun 2002 08:26:16 -0500 (CDT)
[snip] [snip]
Ah well, didn't finish 'trash' before I found out about this, so I'll be tabling that for a while (UNIX is hard, kids; don't try this at home.)
*cough* Is 'trash' in CVS anywhere? I'd kinda like to take a look :) Jp -- | This | signature | intentionally | 8 lines | long. | (So sue me) --- -- 9:11am up 37 days, 9:54, 3 users, load average: 0.00, 0.00, 0.00
From: exarkun@meson.dyndns.org Subject: Re: [Twisted-Python] Developer Security Notice Date: Thu, 27 Jun 2002 09:12:51 -0400
On Wed, Jun 26, 2002 at 11:06:21AM -0500, Glyph Lefkowitz wrote:
From: Glyph Lefkowitz <glyph@twistedmatrix.com> Subject: [Twisted-Python] Developer Security Notice Date: Tue, 25 Jun 2002 08:26:16 -0500 (CDT)
[snip] [snip]
Ah well, didn't finish 'trash' before I found out about this, so I'll be tabling that for a while (UNIX is hard, kids; don't try this at home.)
*cough* Is 'trash' in CVS anywhere? I'd kinda like to take a look :)
Nah. And there's nothing interesting in it yet, so far -- most of the work I did was trying to figure out how the hell setuid/setgid worked, and I checked in those additions to twisted.internet.process. -- | <`'> | Glyph Lefkowitz: Traveling Sorcerer | | < _/ > | Lead Developer, the Twisted project | | < ___/ > | http://www.twistedmatrix.com |
participants (3)
-
exarkun@meson.dyndns.org
-
Glyph Lefkowitz
-
Kevin Turner