Re[2]: [suse-security] duarawkz

21 Nov 2001

      Hi,

the main question is, if your SSH daemon is vulnerable.

The option "Protocol 2,1" sets only the preferred version to SSH2. You're
allowed to connect with SSH1 too.

Cheers,

Ralf
...
Boris Lorenz wrote:
...
Yuppa,
On 21-Nov-01 Reckhard, Tobias wrote:
...
...
...
that a flaw in the SSH1 protocol has been used to break into the
two said
...
...
^^^^^^^^^^^
...
...
There is a remote integer overflow vulnerability in several
implementations of
                                         ^^^^^^^^^^^^^^^^^^^^^^
the SSH1 protocol that allows an attacker to execute arbitrary code
with
...
...
the
^^^^^^^^^^^^^^^^^
Note the (more or less subtle) difference.
Tobias
Que...?
Is it nit picking time already? Didn't know that, OMG! ;)
While we're at it, if you're running SSH protocol version 2 (in any
implementation) *and* a vulnerable SSH protocol 1 demon, with a
fallback to V1
for compatibilty with the lame old ssh1, you're vulnerable too,
congratulations.
Hi,
so the next question is:
If I run only SSH 2 daemon but with sshd_config Option "Protocol 2,1 "
for compatibility - is it vulnerable?
Annette
Sysadmin IfM Technical University Berlin
Germany
...
Boris Lorenz 
---
--
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com
For additional commands, e-mail: suse-security-help@suse.com
-- 
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com
For additional commands, e-mail: suse-security-help@suse.com

Re[2]: [suse-security] duarawkz

Ralf Koch