Is openssh 2.9.9p2 on SuSE 7.3 secure?
Currently, I am running SuSE 7.3 on the firewall/masquerading/gateway machine for my home network. I was also running openssh. That was until I ran a security scan (Nessus 1.0.10) that showed the version of ssh (openssh-2.9.9p2-103) to be highly vulnerable. So I read the SuSE security announcements and it seems that the version I have has been patched and all is well. So, I am secure running openssh 2.9.9p2? Would an updated version of Nessus still show this as a problem? Thanks, Rob
Hi Rob,
Currently, I am running SuSE 7.3 on the firewall/masquerading/gateway machine for my home network. I was also running openssh. That was until I ran a security scan (Nessus 1.0.10) that showed the version of ssh (openssh-2.9.9p2-103) to be highly vulnerable. So I read the SuSE security announcements and it seems that the version I have has been patched and all is well. So, I am secure running openssh 2.9.9p2? Would an updated version
To our knowlege, yes.
of Nessus still show this as a problem?
Yes. Vulnerability scanners are braindead in this matter. We can't help.
Thanks, Rob
Roman.
--
- -
| Roman Drahtmüller
Hi! On Thu, 5 Sep 2002, Roman Drahtmueller wrote:
Hi Rob,
Currently, I am running SuSE 7.3 on the firewall/masquerading/gateway machine for my home network. I was also running openssh. That was until I ran a security scan (Nessus 1.0.10) that showed the version of ssh (openssh-2.9.9p2-103) to be highly vulnerable. So I read the SuSE security announcements and it seems that the version I have has been patched and all is well. So, I am secure running openssh 2.9.9p2? Would an updated version
To our knowlege, yes.
What about the recently fixed openssl bugs? On Wed, 31 Jul 2002, Olaf Kirch wrote :
On Tue, Jul 30, 2002 at 09:58:43PM +0100, Graham Murray wrote:
Openssh uses openssl. Is openssh vulnerable to any of the openssl exploits?
Potentially, yes. It may be possible to trigger the ASN.1 signedness bug when decoding RSA keys during/after RSA authentication. The other bugs, no, because OpenSSH doesn't use SSL.
At least on SuSE 7.2, ssh and sshd are *not* dynamically linked against the openssl libs - so perhaps they are statically linked and thus still vulnerable?!? Or don't they use openssl at all? (openssh-2.9.9p2-103 was built on Jun 28, a month before the openssl announcement!) I asked this question before but got no answer... :-( Martin
On Wed, 31 Jul 2002, Olaf Kirch wrote :
On Tue, Jul 30, 2002 at 09:58:43PM +0100, Graham Murray wrote:
Openssh uses openssl. Is openssh vulnerable to any of the openssl exploits?
Potentially, yes. It may be possible to trigger the ASN.1 signedness bug when decoding RSA keys during/after RSA authentication. The other bugs, no, because OpenSSH doesn't use SSL.
At least on SuSE 7.2, ssh and sshd are *not* dynamically linked against the openssl libs - so perhaps they are statically linked and thus still vulnerable?!? Or don't they use openssl at all? (openssh-2.9.9p2-103 was built on Jun 28, a month before the openssl announcement!)
What command did you use to figure out the how openssh was linked? It like to check to see which libraries are used and how they are linked in openssh-2.9.9p2. TIA, Rob
"Sven 'Darkman' Michels"
Rob Osterburg wrote:
What command did you use to figure out the how openssh was linked? It like to check to see which libraries are used and how they are linked in openssh-2.9.9p2.
ldd `which sshd`
Which will only tell you which dynamic libraries will be loaded at runtime. It does not tell you which static libraries form part of the binary. To find out which version of Openssl ssh is using, type ssh -V Though SuSE's policy of not changing version numbers will not help in identifying whether it is patched or unpatched.
Graham Murray wrote:
Which will only tell you which dynamic libraries will be loaded at runtime. It does not tell you which static libraries form part of the binary.
To find out which version of Openssl ssh is using, type ssh -V
Though SuSE's policy of not changing version numbers will not help in identifying whether it is patched or unpatched.
right, so you have to check rpm -q openssl/openssh --changelog for the fixes. with all that you can hopefully figure out if your enviroment is patched or not.
On Fri, 13 Sep 2002, Sven 'Darkman' Michels wrote:
right, so you have to check rpm -q openssl/openssh --changelog for the fixes. with all that you can hopefully figure out if your enviroment is patched or not.
The latest openssh rpms for SuSe 7.2 und 7.3 on ftp.suse.com are both dated July 01; since the openssl security announcement was released on July 30, openssh can't really be fixed, *if* it it is statically linked against the openssl libs, right? (Unless SuSE secretly fixed openssl *long* before the announcement...) I think a clarification would *really* be nice... Martin
right, so you have to check rpm -q openssl/openssh --changelog for the fixes. with all that you can hopefully figure out if your enviroment is patched or not.
The latest openssh rpms for SuSe 7.2 und 7.3 on ftp.suse.com are both dated July 01; since the openssl security announcement was released on July 30, openssh can't really be fixed, *if* it it is statically linked against the openssl libs, right?
(Unless SuSE secretly fixed openssl *long* before the announcement...)
I think a clarification would *really* be nice...
Guys, I must repeat: The SuSE security team does not read suse-security@ on a regular basis. It's good luck that I didn't skip this thread, so I've seen it. But important things like this should _always_ be sent to security@suse.de or at least to one of the team members that you know is present (thomas, krahmer, okir and myself). You will see the new RPMs on the ftp server within hours.
Martin
Thanks,
Roman.
--
- -
| Roman Drahtmüller
participants (5)
-
Graham Murray
-
Martin Köhling
-
Rob Osterburg
-
Roman Drahtmueller
-
Sven 'Darkman' Michels