Hi Wolfgang,
Hi Roman,
My congratulations to SuSE for jumping on the problem last February, and thanks for your further explanation.
As for that list of ssh versions, I think that was taken from one of the attack scripts. The attackers are logging onto port 22 to see if the host is vulnerable, matching the given banner string with this list.
Well, I thought of that already, but the version string that is written to the network socket in plain text does not really qualify for a vulnerability check. It's a check to _exclude_ that a specific implementation is vulnerable, but the opposite is clearly not true. We've seen reports where CERT are scanning large parts of the internet and warning users about the problem, but, apparently, without knowing what the remote analysis of the protocol version means.
Regards, Lew Wolfgang
Roman.
--
- -
| Roman Drahtmüller