Hello, I am using SuSE 7.2 and the ssh-version "ssh-1.2.27-280" that comes along with it. As far as I know, there was no update up to now for it (in SuSE 7.2). My problem/question is, that i have been told, that all versions of ssh lower than 1.2.32 are insecure due to a bug found on 8.2.2001. I am wondering, if the ssh ("ssh-1.2.27-280" e.g. lower than 1.2.32) of SuSE 7.2 might be insecure? I hope, the patches indicated by "-280" fix the problem. Is that the case? For help/explanation thankfull, Jörg Marten
Hello,
I am using SuSE 7.2 and the ssh-version "ssh-1.2.27-280" that comes along with it. As far as I know, there was no update up to now for it (in SuSE 7.2).
My problem/question is, that i have been told, that all versions of ssh lower than 1.2.32 are insecure due to a bug found on 8.2.2001. I am wondering, if the ssh ("ssh-1.2.27-280" e.g. lower than 1.2.32) of SuSE 7.2 might be insecure? I hope, the patches indicated by "-280" fix the problem. Is that the case?
7.2 was released some time in April (or was it end of March)? Look at the changelog of the package (keyrec.patch or so).
For help/explanation thankfull, Jörg Marten
Thanks,
Roman.
--
- -
| Roman Drahtmüller
On Thu, 20 Dec 2001, Jörg Marten wrote: Hi,
Hello,
I am using SuSE 7.2 and the ssh-version "ssh-1.2.27-280" that comes along with it. As far as I know, there was no update up to now for it (in SuSE 7.2).
My problem/question is, that i have been told, that all versions of ssh lower than 1.2.32 are insecure due to a bug
Thats wrong. Patched ssh 1.2.27 as used in our updated packages are not vulnerable. Since 7.2 the src rpm contains a "deattac.patch" file which is applied in the built packages since 7.2. All ssh's since and including 7.2 are safe against crc32. If you use older distributions you should have read our advisories which tell you which updated packages to use for these distros. The announcement-id was SuSE-SA:2001:04 and the advisory may be found at http://www.suse.de/security. As a general rule, if you are not sure about the versions, always use the newest packages from our ftp server, and you are on the safe side. :-) regards, Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~
participants (3)
-
Jörg Marten
-
Roman Drahtmueller
-
Sebastian Krahmer