[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Ssh2-packet still secure?

On Tue, Sep 16, 2003 at 09:32:00PM +0100, Colin Watson wrote:
> On Tue, Sep 16, 2003 at 08:38:39PM +0200, Johan C wrote:
> > I use ssh2 (2.0.13-7) on my webserver. As far as I can see this packet has
> > not been updated since Sat, 15 Dec 2001 12:43:25 +0000. My question is if
> > this packet is still considered secure and reliable to use after all
> > OpenSSH-bugs, since it's not updated for almost 2 years, or is that because
> > it's considered outdated?
> The ssh2 package was the non-free ssh.com version of SSH, not OpenSSH.
> We removed it from Debian testing and unstable some time ago, and the
> last version uploaded to Debian was a long way behind ssh.com's version
> even then. I would be astonished if it didn't have a number of security
> holes.

Here's a possible privilege escalation requiring a local account:


There are several reports of vulnerabilities in newer versions of ssh2,
but 2.0.13 is so old that people don't often even bother to quote it as
vulnerable or not vulnerable.

> (QA group: should we ask for ssh2 to be removed from stable as well? I
> don't think the project can reasonably support it at this point.)

I've mailed the security team about this.


Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to: