Hello Ben, long time no see. :-)
I was under the impression that anything below 3.0p1 or the SuSE patched 2.9.9 RPM have this vulnerability. I could be wrong, but this doesn't stop you from using the new SuSE rpm or doing what I did..compiling 3.0.2p1 which works quite well.
I'm sorry, but this is wrong. Summary: Versions of openssh before 2.3.0 were vulnerable to the defective crc32 compensation attack fix from core-sdi. 2.3.0 corrected the fix. There were some few other vulnerabilities after 2.3.0 though which make a newer version necessary. The current SuSE package (2.9.9p2) fixes all currently known vulnerabilities in the same way as 3.0.2 does.
* JW (jw@centraltexasit.com) [020116 10:38]: ->Can anyone tell me if openssh-2.5.2 is vulnerable the crc32 compensation ->attack?
Do. And to mention it once more since people don't seem to read security announcements from their vendor :-) : The crc32 compensation attack is not the problem. The problem is an attack against the faulty fix of the crc32 compensation attack from core-sdi. In other words, 2.3.0 (and the ssh package from February 2001) fix a defective fix. Roman.