Hello, Saint says: "ssh versions 1.2.27 and earlier if compiled with the --with-rsaref option are vulnerable." ... "This problem can be fixed by upgrading to ssh-1.2.28. If this is not possible, then install the ssh patch " Suse has latest patch which produces ssh-1.2.27-209 for SuSE 6.3/6.4 (this version was uploaded 15/Feb or so.) So i thought it looks like brand new vulnerability... The only link given to 1.2.28 sources is on ftp://ftp.cs.hut.fi/pub/ssh/ which seems does not allow anonymous users... I would prefer rpm, becouse i have one machine without any sources due low HDD space, so it couldnt compile at all - but rpmfind did not find any 1.2.28. Oh well i would compile sources on other suse 6.3 machine, only if i could get them. So my question would be: is it new ssh bug, and no vendors yet developed patch, or theres some mess with versions and saint? Where i could get sources of ssh-1.2.28? P.S. The saint i downloaded today - so it should be up to date P.P.S. Saint also finds complains on popper, even althought i patched it on last suse rpm update (pop-99.11.2-5) it seems provaides qpop 2.53, so i got sources from eudora.com and upgraded popper to 3.1.2 (what a version jump?!) QUALCOMM`s note on this: Security Vulnerability Some versions of Qpopper are vulnerable to buffer overruns. Qpopper 2.41 and older can be used to obtain root access to your system. Qpopper 2.53 and older may permit an attacker who has access to a valid account to obtain a shell with group-id 'mail', potentially allowing read/write access to all mail. All users of Qpopper are urged to upgrade to the current version. :( Sincerely Yours, Gediminas Grigas mailto:gedas@kryptis.lt
To make it short: The qpopper and ssh bugs are non-present in the latest SuSE update packages as found on the ftp server. ssh is not compiled with the flag --with-rsaref in SuSE packages due to licensing problems. The qpopper from SuSE-7.1 is the latest available, 2.53 is a patched version to work around licensing issues (thanks to the qualcomm guys who allowed us to redistribute qpopper in the latest version). Anyway, we learn that a security/vulnerability scanner is nice, but the output has to be understood and interpreted.
Grüße, Roman. -- - - | Roman Drahtmüller <draht@suse.de> "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -
The only people that needed to use --with-rsaref (ssh, openssl, etc.) were poor americans since RSA used to be patented in the US (expired last september). If you are using RSAREF you should stop, it is a VERY BROKEN implementation. Kurt
Hello again, Monday, February 26, 2001, 8:57:10 PM, you wrote: Thanks for answering all. Roman, You should admit that simple user as I am gets confused when sees that hes got qpoper 2.53 while eudora.com screams about bugs in 2.53 and need in urgent upgrade to 3.x. 3.1.2 has more features than patched suse`s 2.53 by the way. Sorry if posted lame info to list. RD> To make it short: RD> The qpopper and ssh bugs are non-present in the latest SuSE update RD> packages as found on the ftp server. RD> ssh is not compiled with the flag --with-rsaref in SuSE packages due to RD> licensing problems. RD> The qpopper from SuSE-7.1 is the latest available, 2.53 is a patched RD> version to work around licensing issues (thanks to the qualcomm guys who RD> allowed us to redistribute qpopper in the latest version). RD> Anyway, we learn that a security/vulnerability scanner is nice, but the RD> output has to be understood and interpreted.
Best regards, Gediminas mailto:gedas@kryptis.lt
Hi,
You should not take any complaint saint - or for that matter, nessus - has as a given fact. Security scanners can only give you hints on what _might_ be a vulnerable service and give false positives more often than not. BTW saint is obsolete, use nessus instead (latest version comes with SuSE 7.1).
The RSAREF vulnarability is old and not related to the latest SuSE update. And it doesn't affect SuSE because, as you can find out for yourself typing "ssh -V", SuSE's version is not compiled against RSAREF.
Sincerely Yours, Gediminas Grigas mailto:gedas@kryptis.lt
Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany E-Mail (work): lewelin@uni-muenster.de
To make it short: The qpopper and ssh bugs are non-present in the latest SuSE update packages as found on the ftp server. ssh is not compiled with the flag --with-rsaref in SuSE packages due to licensing problems. The qpopper from SuSE-7.1 is the latest available, 2.53 is a patched version to work around licensing issues (thanks to the qualcomm guys who allowed us to redistribute qpopper in the latest version). Anyway, we learn that a security/vulnerability scanner is nice, but the output has to be understood and interpreted.
Grüße, Roman. -- - - | Roman Drahtmüller <draht@suse.de> "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -
The only people that needed to use --with-rsaref (ssh, openssl, etc.) were poor americans since RSA used to be patented in the US (expired last september). If you are using RSAREF you should stop, it is a VERY BROKEN implementation. Kurt
Hello again, Monday, February 26, 2001, 8:57:10 PM, you wrote: Thanks for answering all. Roman, You should admit that simple user as I am gets confused when sees that hes got qpoper 2.53 while eudora.com screams about bugs in 2.53 and need in urgent upgrade to 3.x. 3.1.2 has more features than patched suse`s 2.53 by the way. Sorry if posted lame info to list. RD> To make it short: RD> The qpopper and ssh bugs are non-present in the latest SuSE update RD> packages as found on the ftp server. RD> ssh is not compiled with the flag --with-rsaref in SuSE packages due to RD> licensing problems. RD> The qpopper from SuSE-7.1 is the latest available, 2.53 is a patched RD> version to work around licensing issues (thanks to the qualcomm guys who RD> allowed us to redistribute qpopper in the latest version). RD> Anyway, we learn that a security/vulnerability scanner is nice, but the RD> output has to be understood and interpreted.
Best regards, Gediminas mailto:gedas@kryptis.lt
Hi,
You should not take any complaint saint - or for that matter, nessus - has as a given fact. Security scanners can only give you hints on what _might_ be a vulnerable service and give false positives more often than not. BTW saint is obsolete, use nessus instead (latest version comes with SuSE 7.1).
The RSAREF vulnarability is old and not related to the latest SuSE update. And it doesn't affect SuSE because, as you can find out for yourself typing "ssh -V", SuSE's version is not compiled against RSAREF.
Sincerely Yours, Gediminas Grigas mailto:gedas@kryptis.lt
Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany E-Mail (work): lewelin@uni-muenster.de
participants (4)
-
Gediminas Grigas -
Kurt Seifried -
Martin Leweling -
Roman Drahtmueller