Re: debian potato's SSH not affected by SSH bug?

To: <debian-user@lists.debian.org>
Subject: Re: debian potato's SSH not affected by SSH bug?
From: "nate" <debian-user@aphroland.org>
Date: Wed, 26 Jun 2002 12:06:52 -0700 (PDT)
Message-id: <[🔎] 62296.10.121.110.34.1025118412.squirrel@webmail.linuxpowered.net>
In-reply-to: <[🔎] 3D1A0ED5.6040700@tux.obix.com>
References: <[🔎] 3D1A0ED5.6040700@tux.obix.com>

<quote who="Phil Brutsche">

> No, potato's ssh packages are vunlerable and updates have been made
> available; DSA-134 contains all the necessary information:
> http://www.debian.org/security/2002/dsa-134.
>
> Note that the upgraded openssh packages require update openssl packages;
> it  looks like the new openssl packages will co-exist with the older
> version  that shipped with potato, but I no longer have any potato
> systems so YMMV.


i read the advisory. but I do not think it is complete.

the way i read it is:

'we were not given any information on what this vulnerability involves
so we have no way of investingating whether or not we are vulnerable,
all we were told is this version fixes this problem so here it is,
use at your own risk it hasn't been heavily tested, we are putting it
out just incase'

I get that from this quote of the advisory:
> Since details of the problem have not been released we were forced
> to move to the latest release of OpenSSH portable, version 3.3p1.

as i just got finished discussing this with a co worker, I also
point out that the ISS advisory SPECIFICALLY mentions SSH2 protocol
which Debian potato does not support, and it also SPECIFICALLY mentions
several things in openssh3 which from what i can see are also not
supported in Openssh 1.2.3

maybe the advisory is bad, maybe i am too optimistic, but i still want
hard evidence that openssh 1.2.3 is vulnerable before i upgrade a network
of servers 2 full major version numbers to ssh3(currently i have them
firewalled).

everything I have seen to-date says openssh 3.0 and up is vulnerable.
no mention of earlier versions specifically being marked as being
vulnerable nor are there any mention of older versions specfically
being tested for this vulnerability.

if you or others have more info please pass it along, i am reading
every post on the subject on bugtraq and vuln-dev mailinglists as
well as the advisories being put out by vendors.

there is a "scanner", however I am hesitant to download it, many
scanners attempt to determine if a system is vulnerable soley by the
version of the software the system is running, and does not actually
determine whether the system is vulnerable.

nate
(hopefull & optimistic that debian is not vulnerable)





-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- potato not affected by SSH bug (was Re: debian potato's SSH not affected by SSH bug?)
  - From: "nate" <debian-user@aphroland.org>

References:
- Re: debian potato's SSH not affected by SSH bug?
  - From: Phil Brutsche <phil@tux.obix.com>

Prev by Date: Re: debian potato's SSH not affected by SSH bug?
Next by Date: Re: Startup sequence problem
Previous by thread: Re: debian potato's SSH not affected by SSH bug?
Next by thread: potato not affected by SSH bug (was Re: debian potato's SSH not affected by SSH bug?)
Index(es):
- Date
- Thread