Re: ssh2 2.0.13-6 vulnerable to crc32 compensation attack ?

To: Philipp Haeuser <birdy@epost.de>
Cc: packages@qa.debian.org
Subject: Re: ssh2 2.0.13-6 vulnerable to crc32 compensation attack ?
From: Matt Zimmerman <mdz@debian.org>
Date: Fri, 14 Dec 2001 12:09:55 -0500
Message-id: <[🔎] 20011214170955.GU3764@alcor.net>
Mail-followup-to: Philipp Haeuser <birdy@epost.de>, packages@qa.debian.org
In-reply-to: <[🔎] 3C1A12C3.89D52978@epost.de>
References: <[🔎] 3C1A12C3.89D52978@epost.de>

On Fri, Dec 14, 2001 at 03:54:59PM +0100, Philipp Haeuser wrote:

> Is ssh2 2.0.13-6 (the debian/unstable package from packages.debian.org)
> vulnerable to the crc32 compensation attack described here ?
> 
> http://razor.bindview.com/publish/advisories/adv_ssh1crc.html

This issue only applies to ssh protocol v1.  The above page says:

<quote>
 ** Not vulnerable:

SSH2 (ssh.com): all 2.x releases NOTE: SSH2 installations with SSH1 fallback
support are vulnerable
</quote>

This problem did exist in ssh-nonfree in unstable, and was fixed in
1.2.27-8.

> How about the ssh 1:1.2.3-9.3 and ssh-nonfree 1.2.27-6.1 packages
> (debian/stable from packages.debian.org), are they safe regarding this
> attack?

The stable version of OpenSSH (ssh) was fixed in February, see DSA-027-1:

http://www.debian.org/security/2001/dsa-027

The stable version of ssh-nonfree has recently been patched to fix the
vulnerability, see DSA-086-1:

http://www.debian.org/security/2001/dsa-086

-- 
 - mdz

Attachment: pgpLrAh43tCbU.pgp
Description: PGP signature

Reply to:

References:
- ssh2 2.0.13-6 vulnerable to crc32 compensation attack ?
  - From: Philipp Haeuser <birdy@epost.de>

Prev by Date: ssh2 2.0.13-6 vulnerable to crc32 compensation attack ?
Next by Date: Bug#120974: marked as done (fspanel: Description mentions sawmill which is renamed sawfish)
Previous by thread: ssh2 2.0.13-6 vulnerable to crc32 compensation attack ?
Next by thread: Bug#120974: marked as done (fspanel: Description mentions sawmill which is renamed sawfish)
Index(es):
- Date
- Thread