On Thu, 27 Jun 2002 10:17:12 -0400
"Ryan Swenson"
Hello,
Since SuSE's announcment I have seen only how do I fix my ssh, how do I backport to earlier version? Why is my 3.3 not working, 3.3 has a buffer overflow.
FOR GODS SAKE!! DOESNT ANYONE LISTEN??!!! As has been stated repeatedly on suse-security, the current openssh version DOES NOT FIX THE BUG!!! It DOES however work around the bug by using Privilage separation to limit the damage that can be done. PLEASE READ THE FOLLOWING
cat openssh-3.3p1-6.i386_en.info openssh: Secure shell client and server (remote login program)
File: openssh-3.3p1-6.i386.rpm Patchrpm: openssh-3.3p1-6.i386.patch.rpm Version: 3.3p1 Size: 508 kB Patchsize: 440 kB Date: Tue 25 Jun 2002 12:56:37 PM CEST Source: openssh-3.3p1-6.src.rpm Security: Yes ---------------------------------------------------------------------- Description: Security update: This update works around a security problem in OpenSSH. Notice the line above here??? This package was released very hurriedly by SuSE (Thanks guys) based on the incomplete info provided by Theo (Who is one of the more idiotic people who inhabit the open source world). As several people from suse have said, another version will be released soon which does fix the problem properly, but this has not happened yet and as such there is nothing to "backport" In anycase, if you have left your openssh config as default then you are "mostly" not vulnerable as the feature that has the bug is turned off by default on SuSE Linux. Just out of interest, what the hell did you think you were going to accomplish by ccing your mail to press@suse.com and sales@suse.com Were you going for maximum possible exposure of you idiocy? Next time maybe you should add sales@microsoft.com and sales@ford.com and imastupididiotwhodoesntreadannouncements@disney.com to your list!!! Before anyone asks, yes, I've had a terrible day, and I need more coffee! -- Viel Spaß Peter Nixon - nix@susesecurity.com SuSE Security FAQ Maintainer http://www.susesecurity.com/faq/ "If you think cryptography will solve the problem, then you don't understand cryptography and you don't understand your problem."