Re: Vulnerable SSH versions
* Michal Kara <firstname.lastname@example.org> [011112 11:35]:
> Hi there!
> During this weekend, there has been paper posted to bugtraq named
> "Analysis of SSH crc32 compensation attack detector exploit". It
> talks about a recorded successful exploit using overflow in CRC32
> compensation attack detection code, a hole, which was discovered in
> February this year.
> In the appendices, there is also program checking if you are
> vulnerable by checking the version string SSH daemon produces on
> connect. The newest Dewbian Potato version produces string
> "SSH-1.5-OpenSSH-1.2.3" which is listed as vulnerable to this
> security hole. However, the Debian advisory released in February
> says refers to version 1.2.3 as having this fixed...
> So how it is? Who is wrong?
I *think* both are right. The paper you mention talks about the original
openssh 1.2.3 whereas the debian advisory talks about the debian
package. It's not the same.
This is the same issue as discussed last week. The message I got was
that the ssh package in potato includes a patch which fixes the
vulnerability. The patch doesn't change the version number, of course.
Such a patch was given in
If you don't believe the debian advisory, you have to check the source
code, I think.