[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh vulernability



On Sun, Oct 21, 2001 at 04:41:17PM -0500, Mike Renfro wrote:
> On Fri, Oct 19, 2001 at 03:26:18PM -0800, Ethan Benson wrote:
> > On Fri, Oct 19, 2001 at 06:06:34PM -0400, ahall@secureworks.net wrote:
> > > Has debian released a new ssh dpkg yet?
> > 
> > no
> 
> If this is about the buffer overflow exploit that's supposed to be
> going around now, wasn't this fixed in the following:

well i assumed he was referring to the OpenSSH2 problems with
authorized_keys2 among others fixed in 2.9.9p2.  while this is not
relevant to stable it does affect unstable users, and the sid ssh
packages are still not updated to 2.9.9p2.  this is not the
responisibility of the security team of course.

there is also the so called traffic analysis problems which stable ssh
has no workarounds for.  (there are patches to counteract that
problem).  

> openssh (1:1.2.3-9.2) stable; urgency=high
> 
>   * Non-maintainer upload by Security Team
>   * Added backported fix for a buffer overflow (thanks to Piotr
>     Roszatycki)
>   * Added modified build dependencies from unstable for convenience
>   * Added patch that fixes an rsa key exchange problem made public by CORE
>     SDI.
> 
>  -- Martin Schulze <joey@debian.org>  Thu,  8 Feb 2001 22:15:04 +0100
> 
> If it's a different exploit entirely, please ignore.
> 
> -- 
> Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
> 931 372-3601 / Tennessee Technological University -- renfro@tntech.edu
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpG7QxSql9bU.pgp
Description: PGP signature


Reply to: