Am Mon, 12. Nov 2001, 11:30:49 +0100 schrieb Michal Kara: > Hi there! > > During this weekend, there has been paper posted to bugtraq named "Analysis of > SSH crc32 compensation attack detector exploit". It talks about a recorded > successful exploit using overflow in CRC32 compensation attack detection code, a > hole, which was discovered in February this year. > > In the appendices, there is also program checking if you are vulnerable by > checking the version string SSH daemon produces on connect. The newest Dewbian > Potato version produces string "SSH-1.5-OpenSSH-1.2.3" which is listed as > vulnerable to this security hole. However, the Debian advisory released in > February says refers to version 1.2.3 as having this fixed... > > So how it is? Who is wrong? > > Thanks, > Michal Check out the thread starting at http://lists.debian.org/debian-security/2001/debian-security-200111/msg00025.html Basicly, in Debian potato the fix was backported to the old Version of ssh so it should be safe. Jö. -- If God had intended Man to Smoke, He would have set him on Fire. -- fortune
Attachment:
pgpddDk1QOsqc.pgp
Description: PGP signature