Bugtraq mailing list archives
Re: S/Key & OPIE Database Vulnerability
From: david () FUNDY CA (David Maxwell)
Date: Sun, 23 Jan 2000 22:13:08 -0400
On Fri, Jan 21, 2000 at 07:15:20PM -0600, harikiri wrote:
w00w00 Security Advisory - http://www.w00w00.org Title: S/Key & OPIE Database Vulnerability Platforms: BSD/OS 4.0.1 (SKEY). FreeBSD 3.4-RELEASE (OPIE). Linux Distributions (with skey-2.2-1 RPM). Any Unix running skey-2.2. (possibly earlier versions too) Discovered: 14th January, 2000
NetBSD began installing a mode 600 /etc/skeykeys file as of Jan 6, 1999. This issue would not affect the two most recent formal releases, 1.4, and 1.4.1 - as they include the more secure default. Users of skey on earlier installs should evaluate appropriate permissions for their /etc/skeykeys file based on local requirements (e.g. non-setuid programs performing authentication) - as indicated in the w00w00 advisory. I'm not a member of the NetBSD security team, I'm just speaking as a user... -- David Maxwell, david () vex net|david () maxwell net --> Any sufficiently advanced Common Sense will seem like magic... - me
Current thread:
- Re: ICQ Buffer Overflow Exploit, (continued)
- Re: ICQ Buffer Overflow Exploit Bryce Walter (Jan 18)
- Re: ICQ Buffer Overflow Exploit Jeremy Johnson (Jan 19)
- Re: ICQ Buffer Overflow Exploit Nick Summy (Jan 19)
- Re: ICQ Buffer Overflow Exploit Dylan Griffiths (Jan 19)
- explanation and code for stream.c issues Tim Yardley (Jan 21)
- Re: explanation and code for stream.c issues Tim Yardley (Jan 21)
- Re: explanation and code for stream.c issues Tim Yardley (Jan 21)
- Re: explanation and code for stream.c issues Erik Fichtner (Jan 21)
- Re: explanation and code for stream.c issues Brett Glass (Jan 21)
- S/Key & OPIE Database Vulnerability harikiri (Jan 21)
- Re: S/Key & OPIE Database Vulnerability David Maxwell (Jan 23)
- S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 23)
- Re: S/Key & OPIE Database Vulnerability Evil Pete (Jan 24)
- Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
- Stream.c needs more clarification Vanja Hrustic (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 26)
- Future of s/key (Re: S/Key & OPIE Database Vulnerability) Frasnelli, Dan (Jan 26)
- Re: ICQ Buffer Overflow Exploit Bryce Walter (Jan 18)