On Mon, Nov 12, 2001 at 11:30:49AM +0100, Michal Kara wrote: > Hi there! > > During this weekend, there has been paper posted to bugtraq named "Analysis of > SSH crc32 compensation attack detector exploit". It talks about a recorded > successful exploit using overflow in CRC32 compensation attack detection code, a > hole, which was discovered in February this year. > > In the appendices, there is also program checking if you are vulnerable by > checking the version string SSH daemon produces on connect. The newest Dewbian > Potato version produces string "SSH-1.5-OpenSSH-1.2.3" which is listed as > vulnerable to this security hole. However, the Debian advisory released in > February says refers to version 1.2.3 as having this fixed... > > So how it is? Who is wrong? debian backports security fixes to whatever version is in stable, they don't just slop new upstream versions into stable to take care of security bugs. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgptiVR2PfJ5k.pgp
Description: PGP signature