A security hole that may allow an attacker to authenticate if -- and only if -- the administrator has enabled KerberosV. By default, OpenSSH KerberosV support only becomes active after KerberosV has been properly configured.
Subject: OpenSSH 3.0.1 Date: Mon, 19 Nov 2001 17:13:02 +0100 From: openssh@openbsd.org Reply-To: openssh-unix-dev@mindrot.org To: openssh-unix-announce@mindrot.org, openssh-unix-dev@mindrot.org CC: lwn@lwn.net, announce@openbsd.org, misc@openbsd.org, dengue@deadly.org, news@linuxsecurity.com OpenSSH 3.0.1 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support and encouragement. Important Changes: ================== A security hole that may allow an attacker to authenticate if -- and only if -- the administrator has enabled KerberosV. By default, OpenSSH KerberosV support only becomes active after KerberosV has been properly configured. An excessive memory clearing bug (which we believe to be unexploitable) also exists, but since this may cause daemon crashes, we are providing a fix as well. Various other non-critical fixes (~& support and more). OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller and Ben Lindstrom.
