* Roman Drahtmueller (draht@suse.de) [020116 23:32]: ->Hello Ben, -> ->long time no see. :-) Yes, I think we both have been busy as hell. Good to hear from you. ->Summary: Versions of openssh before 2.3.0 were vulnerable to the defective ->crc32 compensation attack fix from core-sdi. 2.3.0 corrected the fix. ->There were some few other vulnerabilities after 2.3.0 though which make a ->newer version necessary. OH! I guess I miss read it. I thought they ment the commercial version of SSH hence the 2.3 and below...and my statement about "I was under the impression.." guess my impression was wrong. *grin* -> ->The current SuSE package (2.9.9p2) fixes all currently known ->vulnerabilities in the same way as 3.0.2 does. I know. I trust you. :) ->Do. And to mention it once more since people don't seem to read security ->announcements from their vendor :-) : The crc32 compensation attack is not ->the problem. The problem is an attack against the faulty fix of the crc32 ->compensation attack from core-sdi. In other words, 2.3.0 (and the ssh ->package from February 2001) fix a defective fix. *laugh* I saw the annoucement and read about as far as to get the idea " fuck, I guess I need to upgrade.. " so I just got the most current and compiled ;) Cheers! and I hope all is well for you. :) -----=====-----=====-----=====-----=====----- Ben Rosenberg mailto:ben@whack.org -----=====-----=====-----=====-----=====----- I'm out of my mind, but feel free to leave a message...