[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Ssh2-packet still secure?

On Tue, Sep 16, 2003 at 09:32:00PM +0100, Colin Watson wrote:
> On Tue, Sep 16, 2003 at 08:38:39PM +0200, Johan C wrote:
> > I use ssh2 (2.0.13-7) on my webserver. As far as I can see this packet has
> > not been updated since Sat, 15 Dec 2001 12:43:25 +0000. My question is if
> > this packet is still considered secure and reliable to use after all
> > OpenSSH-bugs, since it's not updated for almost 2 years, or is that because
> > it's considered outdated?
> 
> The ssh2 package was the non-free ssh.com version of SSH, not OpenSSH.
> We removed it from Debian testing and unstable some time ago, and the
> last version uploaded to Debian was a long way behind ssh.com's version
> even then. I would be astonished if it didn't have a number of security
> holes.

Here's a possible privilege escalation requiring a local account:

  http://www.securityfocus.com/bid/6247

There are several reports of vulnerabilities in newer versions of ssh2,
but 2.0.13 is so old that people don't often even bother to quote it as
vulnerable or not vulnerable.

> (QA group: should we ask for ssh2 to be removed from stable as well? I
> don't think the project can reasonably support it at this point.)

I've mailed the security team about this.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]
Reply to: