I don't think it is a problem if you don't have kerebus or protocol 1 enabled. phil@lead > tgt 192.168.10.2 root ace connected remote protocol version 2.0, software version -- OpenSSH_2.9.9p2 -- client protocol:SSH-1.5-1.3.0 waiting for server public key FATAL: invalid packet length 1349676916 phil@lead > tgt 192.168.0.2 root ace connected remote protocol version 2.0, software version -- OpenSSH_2.9.9p2 -- client protocol:SSH-1.5-1.3.0 waiting for server public key FATAL: invalid packet length 1349676916 phil@lead > tgt 192.168.0.3 root ace connected remote protocol version 2.0, software version -- OpenSSH_2.9.9p2 -- client protocol:SSH-1.5-1.3.0 waiting for server public key FATAL: invalid packet length 1349676916 maybe I am missing something. Is this the same one that is at http://www.security.nnov.ru/search/exploits.asp On Tuesday 23 April 2002 02:17 am, you wrote:

On Mon, 22 Apr 2002, Ben Rosenberg wrote:

...

* Martin Köhling (mk@lw1.cc-computer.de) [020422 07:46]: ::More interesting for me at the moment: is openssh-2.9.9p2, as supplied :: by SuSE on the update server, vulnerable?

No it's not vulnerable. SuSE tends to patch the same version numbered RPM as not to break deps. The 2.9.9 rpm is full patched and safe.

I *think* you're making a mistake here: this is (apparently) a *new* bug - SuSE didn't have time to fix anything yet!

...

As for 3.X being vulnerable..it's 3.0.2 and below..3.1 isn't.

Umm, no; this is from the openssh announcement list (I got it today):

-- Leave the Constitution Alone. http://members.osb.net/phil