Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] New SSH bug?
  • From: Boris Lorenz <bolo@xxxxxxx>
  • Date: Thu, 28 Feb 2002 15:32:08 +0100
  • Message-id: <3C7E3F68.4955B49D@xxxxxxx>
Yuppa,

Roman Drahtmueller wrote:
>
> >
> > Yes, and I colleague of mine just made a root exploit discover in OpenSSH
> > that effects 3.0.1p1 and below. Once I know more or he decides to
> > announce it..I'll let you know. He's in a testing phase.
> >
> > Cheers!
>
> Are you sure that openssh is affected? Right now, it looks like only the
> commercial ssh versions are targeted - they have similar version numbers.
>
> But still not more news. :-/

If I got that correctly, ssh.com, in a roundabout way, already addressed
the problem on their web site:

http://www.ssh.com/products/ssh/advisories/ssh1_2002-02-25.cfm

This is an "advisory" (well, sort of...) from 02/25, which points out
that the recent sec holes only affect ssh1. Apparently, the publication
is targeted towards a TV news broadcast of Finnish TV, which said that
there had been attacks/break-ins against, quote, "tens of of thousands
of computers all around the world" with vulnerable ssh1 installations.
Unfortunately, they don't go into detail. I have not checked the
security status of the current OpenSSH versions.

Currently, I'm about to track down the "sshex" tool/app which has been
mentioned in the securityfocus posting. Since our company very heavily
relies on ssh, this issue is very important for us. I will re-post in
this thread as soon as I have more info.

Ben, thanks for bringing that to our attention.

> Roman.

Boris Lorenz <bolo@xxxxxxx>
---

< Previous Next >
References