On Thu, 19 Jan 2006, Senthil Kumar wrote:

> Hi,
> Im using OpenSSH 4.0 p1 linked with zlib version less then 1.2.2 in a number
> of systems. These are all production systems where I can't upgrade the
> service. I have a question that if I disable the compression by setting
> "compression no" in sshd_config, will I be able to overcome the Buffer
> overflow vulnerability in zlib. I just glanced through the code and it seems
> sshd is not affected if "compression no" is set. I would like to get inputs
> from the list.

Yes, but you should disable compression for the clients too so they are
not subject to attacks from hostile servers.

OpenSSH 4.2 or greater supports the "zlib@openssh.com" method. This is safe
against pre-authentication attacks on the zlib code and therefore (if used
with privsep) means that even a valid but hostile user cannot use zlib bugs
to escalate privilege.


openssh-unix-dev mailing list