On Thu, 20 Dec 2001, Jörg Marten wrote: Hi,
Hello,
I am using SuSE 7.2 and the ssh-version "ssh-1.2.27-280" that comes along with it. As far as I know, there was no update up to now for it (in SuSE 7.2).
My problem/question is, that i have been told, that all versions of ssh lower than 1.2.32 are insecure due to a bug
Thats wrong. Patched ssh 1.2.27 as used in our updated packages are not vulnerable. Since 7.2 the src rpm contains a "deattac.patch" file which is applied in the built packages since 7.2. All ssh's since and including 7.2 are safe against crc32. If you use older distributions you should have read our advisories which tell you which updated packages to use for these distros. The announcement-id was SuSE-SA:2001:04 and the advisory may be found at http://www.suse.de/security. As a general rule, if you are not sure about the versions, always use the newest packages from our ftp server, and you are on the safe side. :-) regards, Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~