RE: Vulnerable SSH versions
A quick question concerning such things...
I have a remote server that I do not trust myself to upgrade from
Potato(e) to Woody, and such vulnerabilities do worry me a little. Is
there any general expectation that such "back porting" will continue
once Woody is released?
Curt-
-----Original Message-----
From: Jo Fahlke [mailto:jorrit@jorrit.de]
Sent: Monday, November 12, 2001 19:45
To: Michal Kara
Cc: debian-security@lists.debian.org
Subject: Re: Vulnerable SSH versions
Am Mon, 12. Nov 2001, 11:30:49 +0100 schrieb Michal Kara:
> Hi there!
>
> During this weekend, there has been paper posted to bugtraq named
"Analysis of
> SSH crc32 compensation attack detector exploit". It talks about a
recorded
> successful exploit using overflow in CRC32 compensation attack
detection code, a
> hole, which was discovered in February this year.
>
> In the appendices, there is also program checking if you are
vulnerable by
> checking the version string SSH daemon produces on connect. The newest
Dewbian
> Potato version produces string "SSH-1.5-OpenSSH-1.2.3" which is listed
as
> vulnerable to this security hole. However, the Debian advisory
released in
> February says refers to version 1.2.3 as having this fixed...
>
> So how it is? Who is wrong?
>
> Thanks,
> Michal
Check out the thread starting at
http://lists.debian.org/debian-security/2001/debian-security-200111/msg0
0025.html
Basicly, in Debian potato the fix was backported to the old Version of
ssh so it should be safe.
Jö.
--
If God had intended Man to Smoke, He would have set him on Fire.
-- fortune
Reply to: