3rd SSH Patch
Security Changes:
=================
Portable OpenSSH version 3.7p1 and 3.7.1p1 contain multiple
vulnerabilities in the new PAM authentication code. At least one of
these bugs is remotely exploitable (under a non-standard
configuration, with privsep disabled).
OpenSSH 3.7.1p2 fixes these bugs. Please note that these bugs do not
exist in OpenBSD's releases of OpenSSH.
Changes since OpenSSH 3.7.1p1:
==============================
* This release disables PAM by default. To enable it, set "UsePAM yes" in
sshd_config. Due to complexity, inconsistencies in the specification and
differences between vendors' PAM implementations we recommend that PAM
be left disabled in sshd_config unless there is a need for its use.
Sites using only public key or simple password authentication usually
have little need to enable PAM support.
* This release now requires zlib 1.1.4 to build correctly. Previous
versions have security problems.
* Fix compilation for versions of OpenSSL before 0.9.6. Some cipher modes
are not supported for older OpenSSL versions.
* Fix compilation problems on systems with a missing or lacking inet_ntoa()
function.
* Workaround problems related to unimplemented or broken setresuid/setreuid
functions on several platforms.
* Fix compilation on older OpenBSD systems.
* Fix handling of password-less authentication (PermitEmptyPasswords=yes)
that has not worked since the 3.7p1 release.
Checksums:
==========
- MD5 (openssh-3.7.1p2.tar.gz) = 61cf5b059938718308836d00f6764a94
Ho hum...
Rus
