Re: is openssh version (in potato) 1.2.3-9.4 vulnerable?
On Sat, 23 Feb 2002, Paul Hampson wrote:
> On Fri, Feb 22, 2002 at 02:20:00PM -0000, Liam Ward wrote:
> > On 22 Feb 2002 at 9:11, Walter Tautz wrote:
> > > http://www.cert.org/incident_notes/IN-2001-12.html
> > > http://www.cert.org/advisories/CA-2001-35.html
>
> > > which apparently refers to ssh1 crc-32 compensation attack detector
> > > and some other problems?
>
> > > Judging from the page there openssh is fixed only in version 2.3.0
> > > and later? Or has the one in potato been patched so that none of
> > > these vulnerabilities.
>
> > The new version of Nessus (in testing) is complaining about this too.
>
> > I think, from looking at the bug reports etc., that in potato the
> > offending versions of ssh and openssh have been patched so that,
> > although your version number indicates that you have a problem, the
> > truth is that you're safe. All of this is, of course, dependent on
> > you being up to date with security.debian.org updates.
>
> > Can someone confirm this please...
>
> Yup, ssh in potato has been patched against the known vulnerabilities
> in that version of OpenSSH.
>
> The version of ssh in sid (and presumably woody) reports
> its Debian package version as well, so that tools such as Nessus
> can tell it from the vanilla OpenSSH.
>
> If you're curious, this extension was thoroughly debated in
> debian-devel a fortnight ago or so. :-)
>
> --
When you refer to `extension' what do you mean. Also where would I look
for bug reports for this kind of info? bugs.debian.org?
-walter
ps. thanks for confirming the security but I wouldn't mind confirming it
for myself.
Reply to: