On Fri, Feb 22, 2002 at 02:20:00PM -0000, Liam Ward wrote: > On 22 Feb 2002 at 9:11, Walter Tautz wrote: > > http://www.cert.org/incident_notes/IN-2001-12.html > > http://www.cert.org/advisories/CA-2001-35.html > > which apparently refers to ssh1 crc-32 compensation attack detector > > and some other problems? > > Judging from the page there openssh is fixed only in version 2.3.0 > > and later? Or has the one in potato been patched so that none of > > these vulnerabilities. > The new version of Nessus (in testing) is complaining about this too. > I think, from looking at the bug reports etc., that in potato the > offending versions of ssh and openssh have been patched so that, > although your version number indicates that you have a problem, the > truth is that you're safe. All of this is, of course, dependent on > you being up to date with security.debian.org updates. > Can someone confirm this please... Yup, ssh in potato has been patched against the known vulnerabilities in that version of OpenSSH. The version of ssh in sid (and presumably woody) reports its Debian package version as well, so that tools such as Nessus can tell it from the vanilla OpenSSH. If you're curious, this extension was thoroughly debated in debian-devel a fortnight ago or so. :-) -- ----------------------------------------------------------- Paul "TBBle" Hampson, MCSE 4th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) Paul.Hampson@Anu.edu.au Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. This email is licensed to the recipient for non-commercial use, duplication and distribution. -----------------------------------------------------------
Attachment:
pgpMrBw8WXkm9.pgp
Description: PGP signature