Return-Path: Received: from MIT.EDU by po12.mit.edu (8.9.2/4.7) id WAA09799; Thu, 8 Feb 2001 22:32:25 -0500 (EST) Received: from EGYPTIAN-GODS.MIT.EDU by MIT.EDU with SMTP id AA13989; Thu, 8 Feb 01 22:30:48 EST Received: (from ghudson@localhost) by egyptian-gods.MIT.EDU (8.9.3) id WAA05790; Thu, 8 Feb 2001 22:32:20 -0500 Date: Thu, 8 Feb 2001 22:32:20 -0500 Message-Id: <200102090332.WAA05790@egyptian-gods.MIT.EDU> From: Greg Hudson To: release-announce@MIT.EDU Subject: Emergency Athena 8.4.20 patch release right now X-Evolution: 00000086-0000 Hi. A remotely exploitable security hole was recently found in the version of sshd we use on Athena. To address this issue, we've put out an emergency patch release to update sshd. If you have an AUTOUPDATE=false machine and want to take the patch release manually after it goes out, do a console login as root and run "update_ws". If you have a machine which runs sshd and cannot conveniently take the update, or a layered Linux machine, you can manually update your sshd binary by logging in as root and doing the following: ON SOLARIS OR IRIX: cp /srvd/etc/athena/sshd /etc/athena/sshd.new mv /etc/athena/sshd.new /etc/athena/sshd # Reboot if reasonable; otherwise restart sshd: kill `cat /var/athena/sshd.pid` sshd ON LINUX: rpm -U /afs/athena.mit.edu/system/rhlinux/athena-8.4/free/RPMS/athena-ssh-8.4-20.i386.rpm # Reboot if reasonable; otherwise restart sshd: kill `cat /var/athena/sshd.pid` sshd If you have an Athena 8.3 or earlier machine which runs sshd, please disable sshd for now (set SSHD=false in /etc/athena/rc.conf and "kill `cat /var/athena/sshd.pid`") and contact us if you need further support. Please send questions or comments to release-team@mit.edu.