Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] SSH
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Thu, 17 Jan 2002 08:26:15 +0100 (MET)
  • Message-id: <Pine.LNX.4.43.0201170818330.24073-100000@xxxxxxxxxxxx>
Hello Ben,

long time no see. :-)

> I was under the impression that anything below 3.0p1 or the SuSE patched
> 2.9.9 RPM have this vulnerability. I could be wrong, but this doesn't
> stop you from using the new SuSE rpm or doing what I did..compiling
> 3.0.2p1 which works quite well.

I'm sorry, but this is wrong.

Summary: Versions of openssh before 2.3.0 were vulnerable to the defective
crc32 compensation attack fix from core-sdi. 2.3.0 corrected the fix.
There were some few other vulnerabilities after 2.3.0 though which make a
newer version necessary.

The current SuSE package (2.9.9p2) fixes all currently known
vulnerabilities in the same way as 3.0.2 does.

> * JW (jw@xxxxxxxxxxxxxxxxxx) [020116 10:38]:
> ->Can anyone tell me if openssh-2.5.2 is vulnerable the crc32 compensation
> ->attack?

Do. And to mention it once more since people don't seem to read security
announcements from their vendor :-) : The crc32 compensation attack is not
the problem. The problem is an attack against the faulty fix of the crc32
compensation attack from core-sdi. In other words, 2.3.0 (and the ssh
package from February 2001) fix a defective fix.


< Previous Next >
Follow Ups