Noticed that Turbolinux promptly reports where ls is located in response to "which ls", as will Mandrake and RedHat, but SuSE 7.3 won't. Is this intentional? Please don't tell me I've been hacked already, the box has only been running 12 hours, and its only got a ssh open. -- _________________________________ John Andersen / Juneau Alaska
John Andersen wrote:
Noticed that Turbolinux promptly reports where ls is located in response to "which ls", as will Mandrake and RedHat, but SuSE 7.3 won't.
try > alias ls and you'll see the standard alias set for ls on SuSE :-))
Aaah, by the way: John Andersen wrote:
Please don't tell me I've been hacked already, the box has only been running 12 hours, and its only got a ssh open.
"only" like in "only one eye" ??? .o) Make sure to use the newest openssh (Version 3.xxx), there are xploits around for the elder ones.
Please don't tell me I've been hacked already, the box has only been running 12 hours, and its only got a ssh open.
"only" like in "only one eye" ??? .o)
Make sure to use the newest openssh (Version 3.xxx), there are xploits around for the elder ones.
Really??? For which vulnerability, for which versions, which
implementations?
Please be careful with such statements.
The statement is clearly wrong as you made it.
Thanks,
Roman.
--
- -
| Roman Drahtmüller
* Roman Drahtmueller wrote on Tue, Nov 27, 2001 at 10:22 +0100:
Make sure to use the newest openssh (Version 3.xxx), there are xploits around for the elder ones.
Really??? For which vulnerability, for which versions, which implementations?
Please be careful with such statements.
The statement is clearly wrong as you made it.
According to the SuSE website, openssh needs a security upgrade to 2.9.9p2 but only to avoid a source-IP based authentification problem in protocol 2 (by this, it looks not extremly serious). This package is available for 7.1 and newer. I assume older versions should use the 7.1 packages? For SSH, there is a CRC32 update with 1.2.27-239 which is serious. This package is avialable to 7.1 and newer. I assume older versions should use this. Is that correct so? Otherwise please correct it to clarify that SSH myst now :) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
I was wrong regarding the OpenSSH known vulneribilties and xploits. I mistook version 2.3.0 and 3.0.x. My apologies to the list and SuSE. Steffen Dettmer wrote:
[...]
For SSH, there is a CRC32 update with 1.2.27-239 which is serious. This package is avialable to 7.1 and newer. I assume older versions should use this.
Is that correct so? Otherwise please correct it to clarify that SSH myst now :)
Yes that's correct, sorry again for spreading this myst. Greetings Michael
I was wrong regarding the OpenSSH known vulneribilties and xploits. I mistook version 2.3.0 and 3.0.x. My apologies to the list and SuSE.
Steffen Dettmer wrote:
[...]
For SSH, there is a CRC32 update with 1.2.27-239 which is serious. This package is avialable to 7.1 and newer. I assume older versions should use this.
The update packages are available for 6.0 on. This is becoming a boomerang, and I start losing patience over it. :-) Read from my lips: The crypto packages for 7.1 and up are to be found on ftp.suse.com, for 7.0 and down they are on ftp.suse.de, for legal reasons. This is also mentioned in the security announcement from February 16th, to be found at http://www.suse.de/de/support/security/adv004_ssh.txt .
Is that correct so? Otherwise please correct it to clarify that SSH myst now :)
Yes that's correct, sorry again for spreading this myst.
Greetings Michael
Thanks,
Roman.
--
- -
| Roman Drahtmüller
* Roman Drahtmueller wrote on Wed, Nov 28, 2001 at 12:31 +0100:
Steffen Dettmer wrote:
For SSH, there is a CRC32 update with 1.2.27-239 which is serious. This package is avialable to 7.1 and newer. I assume older versions should use this.
The update packages are available for 6.0 on.
oki, so I spent an hour senseless, that's a pitty...
Read from my lips: The crypto packages for 7.1 and up are to be found on ftp.suse.com, for 7.0 and down they are on ftp.suse.de, for legal reasons.
Ohh, so the web pages found of suse.de -> updates/fixes are not complete? I though they list any security updates. So I'm sorry, but they pages really look like they would list anything. Maybe somebody could add a hint like "this is only a subset of updates - we don't list all here for some strange reasons" :) Sorry for the inconvence, have a nice day! oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hi, On 29 Nov 2001, at 12:24, Steffen Dettmer wrote:
"this is only a subset of updates - we don't list all here for some strange reasons" :)
I do not know if this applies to this case, but for long times any crypto related technology had different packages/RPMs/whatever for the US and the rest of the world. IIRC this was caused by the export limitations for crypto technologies of the USA on one hand and some usage patents for cryptotechnologies from some US companies. For that reasons many crypto related products had two different packages. Personally I think that even a third package must have existed, as there are US/international regulations not to allow certain high tech products being sold to some "bad" countries (like Cuba, North Korea, Vietnam, etc.). Given the fact, that US regulations are a bit looser now, and some usage patents have expired (Diffie Hellmann and RAS, 2000?), it is clear, that now some parts of the distribution are the same for the US and the rest of the world. HTH mike
* Thomas Michael Wanka wrote on Thu, Nov 29, 2001 at 16:50 +0100:
Hi,
On 29 Nov 2001, at 12:24, Steffen Dettmer wrote:
"this is only a subset of updates - we don't list all here for some strange reasons" :)
I do not know if this applies to this case, but for long times any crypto related technology had different packages/RPMs/whatever for the US and the rest of the world.
I would not call a security announcement crypto related technology, and I do looked on suse.de not .com. I though the web pages list any security issue, but it seems that this is not complete. Can anyone confirm this? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (5)
-
John Andersen -
Michael Zimmermann -
Roman Drahtmueller -
Steffen Dettmer -
Thomas Michael Wanka