openssh packages not vulnerable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So as it turns out, AFAIK, none of the versions of OpenSSH in Debian
were actually vulnerable to the exploit found by ISS and reported in
DSA-134
Potato wasn't vulnerable because it is SSH1 only, and the problem lies
in the ChallengeResponseAuthentication feature that only exists in the
SSH2 protocol.
Also in order to be vulnerable, either S/KEY or BSD_AUTH authentication
mechanism needed to be enabled at compile time. The woody/sid packages
do not enable either of these features. So what it all boils down to is
that at no time was Debian vulnerable to this problem.
I'm curious what recourse Debian is planning to take now? Perhaps
removing the buggy OpenSSH 3.3 packages off of security.debian.org so
people don't upgrade to it since it's not at all necessary and it will
only cause problems like screwing up compression and pam.
- --
Paul Baker
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, 1759
GPG Key: http://homepage.mac.com/pauljbaker/public.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (Darwin)
Comment: For info see http://www.gnupg.org
iD8DBQE9GheLoxmRVfL3nlsRAmM4AJ9mBv0mgZhEqW/Duzoj5SUQw4UewACeICe+
I6wH9uksQP9RJMpZk5YNqQc=
=jknM
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: