On Thu, 21 Mar 2002, Brian Densmore wrote: > Static linking is generally a very bad thing. Think about all those > applications out there that are static linked to zlib 1.1.3. They all > now have to be recompiled with zlib 1.1.4 to fix the "double free" root > exploit. Anyone figured out how to use it yet? Please don't post it, if > you have. I am just wondering. I haven't figured out a way to exploit > from an external machine. I could write a program to do it, but then the > problem is to get it on to a box and then execute it. I'm not sure how > you would do it without putting your own trojan on the box first. So you > would have to have an exploit to exploit the exploit!? That new PHP > exploit actually sounds rather bad though. Most browsers support zlib-compressed data streams, e.g. if you have "file.txt.gz" or "file.html.gz" on your web server, Mozilla, Netscape, and IE will happily decompress them on the fly. If you can manage to find an exploit using this method you might be able to run arbitrary code on someone's machine simply by getting them to load a web page (or by sending them an email in the case of Outlook). > Brian > > > -----Original Message----- > > From: JD Runyan [mailto:Jason.Runyan@nitckc.usda.gov] > > Sent: Thursday, March 21, 2002 11:41 AM > > To: KCLUG (E-mail) > > Subject: Re: SSL and SSH > > > > > > You can compile it with static linking of the ssl libraries, > > but I think you > > would have to use another machine to generate keys. > > On Mar 21 11:13, Brian Densmore wrote: > > > ssh depends on ssl. Can't install ssh if you don't have > > ssl. At least > > > none of the versions I have ever seen let you. I'd be interested in > > > knowing of anyone who has installed ssh without ssl. Not that I > > > recommend it. > > > > > > > -----Original Message----- > > > > From: Jonathan Hutchins [mailto:hutchins@opus1.com] > > > > Sent: Thursday, March 21, 2002 11:08 AM > > > > To: Brian Densmore; KCLUG (E-mail) > > > > Subject: Re: Permissions Question > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Brian Densmore" > > > > > > > > > > > > > Install openssl and openssh. > > > > > > > > You explain what Seth will be doing with SSH, but why does he > > > > need ssl too? > > > > > > > > > > > > > > > > majordomo@kclug.org > > > > -- > > JD Runyan > > Mid-Range Systems Administrator > > USDA NITC Kansas City > > > > > > majordomo@kclug.org > > > > >