Re: [suse-security] SSH
I was under the impression that anything below 3.0p1 or the SuSE patched 2.9.9 RPM have this vulnerability. I could be wrong, but this doesn't stop you from using the new SuSE rpm or doing what I did..compiling 3.0.2p1 which works quite well. * JW (jw@centraltexasit.com) [020116 10:38]: ->Can anyone tell me if openssh-2.5.2 is vulnerable the crc32 compensation ->attack? -----=====-----=====-----=====-----=====----- Ben Rosenberg mailto:ben@whack.org -----=====-----=====-----=====-----=====----- I'm out of my mind, but feel free to leave a message...
Hello Ben, long time no see. :-)
I was under the impression that anything below 3.0p1 or the SuSE patched 2.9.9 RPM have this vulnerability. I could be wrong, but this doesn't stop you from using the new SuSE rpm or doing what I did..compiling 3.0.2p1 which works quite well.
I'm sorry, but this is wrong. Summary: Versions of openssh before 2.3.0 were vulnerable to the defective crc32 compensation attack fix from core-sdi. 2.3.0 corrected the fix. There were some few other vulnerabilities after 2.3.0 though which make a newer version necessary. The current SuSE package (2.9.9p2) fixes all currently known vulnerabilities in the same way as 3.0.2 does.
* JW (jw@centraltexasit.com) [020116 10:38]: ->Can anyone tell me if openssh-2.5.2 is vulnerable the crc32 compensation ->attack?
Do. And to mention it once more since people don't seem to read security announcements from their vendor :-) : The crc32 compensation attack is not the problem. The problem is an attack against the faulty fix of the crc32 compensation attack from core-sdi. In other words, 2.3.0 (and the ssh package from February 2001) fix a defective fix. Roman.
* Roman Drahtmueller (draht@suse.de) [020116 23:32]: ->Hello Ben, -> ->long time no see. :-) Yes, I think we both have been busy as hell. Good to hear from you. ->Summary: Versions of openssh before 2.3.0 were vulnerable to the defective ->crc32 compensation attack fix from core-sdi. 2.3.0 corrected the fix. ->There were some few other vulnerabilities after 2.3.0 though which make a ->newer version necessary. OH! I guess I miss read it. I thought they ment the commercial version of SSH hence the 2.3 and below...and my statement about "I was under the impression.." guess my impression was wrong. *grin* -> ->The current SuSE package (2.9.9p2) fixes all currently known ->vulnerabilities in the same way as 3.0.2 does. I know. I trust you. :) ->Do. And to mention it once more since people don't seem to read security ->announcements from their vendor :-) : The crc32 compensation attack is not ->the problem. The problem is an attack against the faulty fix of the crc32 ->compensation attack from core-sdi. In other words, 2.3.0 (and the ssh ->package from February 2001) fix a defective fix. *laugh* I saw the annoucement and read about as far as to get the idea " fuck, I guess I need to upgrade.. " so I just got the most current and compiled ;) Cheers! and I hope all is well for you. :) -----=====-----=====-----=====-----=====----- Ben Rosenberg mailto:ben@whack.org -----=====-----=====-----=====-----=====----- I'm out of my mind, but feel free to leave a message...
participants (2)
-
Ben Rosenberg
-
Roman Drahtmueller