anybody out there who got the exploit under http://online.securityfocus.com/bid/4560 to work against ssh 3.x.x? thomas Thomas Springer
Hi! On Mon, 22 Apr 2002, Thomas Springer wrote:
anybody out there who got the exploit under http://online.securityfocus.com/bid/4560 to work against ssh 3.x.x?
More interesting for me at the moment: is openssh-2.9.9p2, as supplied by SuSE on the update server, vulnerable? If I understand the bugtraq posting (of 19-April-2002) correctly, the bug is somewhre in the Kerberos token handling; apparently, at least the SuSE 7.2 version was compiled with Kerberos support disabled (all Kerberos-related options I tried were answered with an error message), so this version should be safe - right? Martin
* Martin Köhling (mk@lw1.cc-computer.de) [020422 07:46]: :: ::More interesting for me at the moment: is openssh-2.9.9p2, as supplied by ::SuSE on the update server, vulnerable? No it's not vulnerable. SuSE tends to patch the same version numbered RPM as not to break deps. The 2.9.9 rpm is full patched and safe. As for 3.X being vulnerable..it's 3.0.2 and below..3.1 isn't. -=Ben --=====-----=====-- mailto:ben@whack.org --=====-- "I've never been quarantined. But the more I look around the more I think it might not be a bad thing." -GC --=====-----=====--
On Mon, 22 Apr 2002, Ben Rosenberg wrote:
* Martin Köhling (mk@lw1.cc-computer.de) [020422 07:46]: :: ::More interesting for me at the moment: is openssh-2.9.9p2, as supplied by ::SuSE on the update server, vulnerable?
No it's not vulnerable. SuSE tends to patch the same version numbered RPM as not to break deps. The 2.9.9 rpm is full patched and safe.
I *think* you're making a mistake here: this is (apparently) a *new* bug - SuSE didn't have time to fix anything yet!
As for 3.X being vulnerable..it's 3.0.2 and below..3.1 isn't.
Umm, no; this is from the openssh announcement list (I got it today):
~~~~~~~~~~~~cut~~~~~~~~~~~~~~~~~
From provos@citi.umich.edu Tue Apr 23 11:01:29 2002
Date: Sat, 20 Apr 2002 23:39:31 -0400
From: Niels Provos
participants (3)
-
Ben Rosenberg
-
Martin Köhling
-
Thomas Springer