[13537] in bugtraq
Re: S/Key & OPIE Database Vulnerability
daemon@ATHENA.MIT.EDU (David Maxwell)
Mon Jan 24 21:16:14 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000123221308.B12799@fundy.ca>
Date: Sun, 23 Jan 2000 22:13:08 -0400
Reply-To: David Maxwell <david@FUNDY.CA>
From: David Maxwell <david@FUNDY.CA>
X-To: harikiri <harikiri@ATTRITION.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSO.4.10.10001210714290.21438-100000@shaolin.fcbl.net>;
from harikiri on Fri, Jan 21, 2000 at 07:15:20PM -0600
On Fri, Jan 21, 2000 at 07:15:20PM -0600, harikiri wrote:
> w00w00 Security Advisory - http://www.w00w00.org
>
> Title: S/Key & OPIE Database Vulnerability
> Platforms: BSD/OS 4.0.1 (SKEY).
> FreeBSD 3.4-RELEASE (OPIE).
> Linux Distributions (with skey-2.2-1 RPM).
> Any Unix running skey-2.2. (possibly earlier versions too)
> Discovered: 14th January, 2000
NetBSD began installing a mode 600 /etc/skeykeys file as of Jan 6, 1999.
This issue would not affect the two most recent formal releases, 1.4,
and 1.4.1 - as they include the more secure default.
Users of skey on earlier installs should evaluate appropriate permissions
for their /etc/skeykeys file based on local requirements (e.g. non-setuid
programs performing authentication) - as indicated in the w00w00 advisory.
I'm not a member of the NetBSD security team, I'm just speaking as a user...
--
David Maxwell, david@vex.net|david@maxwell.net -->
Any sufficiently advanced Common Sense will seem like magic...
- me
