Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] SSH
  • From: Ben Rosenberg <ben@xxxxxxxxx>
  • Date: Thu, 17 Jan 2002 11:43:11 -0800
  • Message-id: <20020117194311.GA1048@xxxxxxxxx>
* Roman Drahtmueller (draht@xxxxxxx) [020116 23:32]:
->Hello Ben,
->long time no see. :-)

Yes, I think we both have been busy as hell. Good to hear from you.

->Summary: Versions of openssh before 2.3.0 were vulnerable to the defective
->crc32 compensation attack fix from core-sdi. 2.3.0 corrected the fix.
->There were some few other vulnerabilities after 2.3.0 though which make a
->newer version necessary.

OH! I guess I miss read it. I thought they ment the commercial version
of SSH hence the 2.3 and below...and my statement about "I was under the
impression.." guess my impression was wrong. *grin*

->The current SuSE package (2.9.9p2) fixes all currently known
->vulnerabilities in the same way as 3.0.2 does.

I know. I trust you. :)

->Do. And to mention it once more since people don't seem to read security
->announcements from their vendor :-) : The crc32 compensation attack is not
->the problem. The problem is an attack against the faulty fix of the crc32
->compensation attack from core-sdi. In other words, 2.3.0 (and the ssh
->package from February 2001) fix a defective fix.

*laugh* I saw the annoucement and read about as far as to get the idea "
fuck, I guess I need to upgrade.. " so I just got the most current and
compiled ;)

Cheers! and I hope all is well for you. :)

Ben Rosenberg mailto:ben@xxxxxxxxx
I'm out of my mind, but feel free to leave a message...

< Previous Next >