[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] If you have been a victim
- Subject: RE: [cobalt-users] If you have been a victim
- From: "Clark E. Morgan" <prlhkr@xxxxxxxxxxxxx>
- Date: Sun Feb 18 11:18:26 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> Hate to give you the bad news but per SEVERAL posts here within
> the past week the SSH server package from pkg.nl.cobalt.com is
> OLD and EXPLOITABLE and needs to be upgraded.
>
> Within an hour of having a Raq 3 OS restored the bastards from
> Korea came calling attempting to hammer their way in through
> SSH. You need to upgrade to:
>
> sshd version OpenSSH_2.3.0p1
> Actually 2.5 was released this week but the RPMs are not available yet.
> If you want to compile it from the source at www.openssh.org there seems
> to be a bug that won't let it see where Cobalt put openssl. Too weary
> to figure out how to patch it so I went with the 2.3 rpms.
Agreed, I am working on this process even now; but in the absence of
any other way into the console, you may believe the "outdated" package
from cobalt came pretty much as a life saver. I'm neither advocating
nor knocking any particular implenetation of SSH; but rather offering
my story as a quick way out of the woods for folks who got shat upon
by these idiots recently. As always, your box is your own responsibility
and it was not my intent to provide a comprehensive treatise on security
or more narrowly, SSH. I point this out, not to take issue with Tony;
but to address the well-put need for clarification.
Clark Morgan