On Fri, Feb 22, 2002 at 11:39:02AM -0500, Walter Tautz wrote: > On Sat, 23 Feb 2002, Paul Hampson wrote: > > On Fri, Feb 22, 2002 at 02:20:00PM -0000, Liam Ward wrote: > > > On 22 Feb 2002 at 9:11, Walter Tautz wrote: > > > > http://www.cert.org/incident_notes/IN-2001-12.html > > > > http://www.cert.org/advisories/CA-2001-35.html > > > > which apparently refers to ssh1 crc-32 compensation attack detector > > > > and some other problems? > > > > Judging from the page there openssh is fixed only in version 2.3.0 > > > > and later? Or has the one in potato been patched so that none of > > > > these vulnerabilities. > > > The new version of Nessus (in testing) is complaining about this too. > > > I think, from looking at the bug reports etc., that in potato the > > > offending versions of ssh and openssh have been patched so that, > > > although your version number indicates that you have a problem, the > > > truth is that you're safe. All of this is, of course, dependent on > > > you being up to date with security.debian.org updates. > > > Can someone confirm this please... > > Yup, ssh in potato has been patched against the known vulnerabilities > > in that version of OpenSSH. > > The version of ssh in sid (and presumably woody) reports > > its Debian package version as well, so that tools such as Nessus > > can tell it from the vanilla OpenSSH. > > If you're curious, this extension was thoroughly debated in > > debian-devel a fortnight ago or so. :-) > When you refer to `extension' what do you mean? The version of ssh in sid (and presumably woody) reports its Debian package version as well, so that tools such as Nessus can tell it from the vanilla OpenSSH. > Also where would I look > for bug reports for this kind of info? bugs.debian.org? Which kind of info? I suspect the answer to either is /usr/share/doc/ssh/changelog.Debian.gz And bugs.debian.org if it's a live or recently live issue. But in this case it's not. > ps. thanks for confirming the security but I wouldn't > mind confirming it for myself. http://security.debian.org would also let you see the various fixes made to the ssh package... Alternatively, ask on debian-security@lists.debian.org In fact, I whacked '945216 Debian' into goolge, and the first link was the Debian Vendor Statement at CERT about VU#945216, which pointed me to DSA-027-1 Of course, the changelog doesn't call it the CRC-32 compensator attack, nor reference the CERT VU#. -- ----------------------------------------------------------- Paul "TBBle" Hampson, MCSE 4th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) Paul.Hampson@Anu.edu.au Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. This email is licensed to the recipient for non-commercial use, duplication and distribution. -----------------------------------------------------------
Attachment:
pgprqpMbalCka.pgp
Description: PGP signature