This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Subject: Re: SSH From: "Michael H. Warfield" <mhw@wittsend.com> Date: Wed, 19 Jan 2000 12:18:08 -0500 On Wed, Jan 19, 2000 at 12:53:58PM -0500, Michael J. McGillick wrote: > Afternoon Everyone: > A buddy of mine believes that I'm running an insecure version of SSH. My > current version is: > ssh-1.2.27-5us Possibly so... If that implies that you are running the US version of ssh 1.2.27 which includes RSAREF2, then yes, you are running an insecure version due to two buffer overflow problems, one in the rsaglue routines used to shim RSAREF2 into ssh and the other in RSAREF2 itself. > How do I tell if my version is insecure, and where would I get the latest > version from? I'm unaware that there has been an official "fix" for ssh-1.2.27. I would love to be proven wrong on that, but I've heard nothing. There are some "unoffical" patches out there. One fixes the rsaglue problem and RSA has "blessed" a patch to RSAREF2 to address the other. I have neither. It is possible that the "27-5" may incorporate those patches, but I really don't think I would trust it. I have switched over to OpenSSH <www.openssh.org>. It's not subject to these problems. You can also switch to the International version of ssh which uses the International version of the RSA libraries. If you are in the US, that violates the RSA patent until it expires in October. === Subject: Re: SSH From: Mike Cathey <pointer@vol.com> Date: Wed, 19 Jan 2000 12:36:53 -0500 Dear Sirs; Your box is only vulnerable IF and ONLY IF you compiled ssh with the RSAREF option. You would have had to run './configure --with-RSAREF' or something along those lines. I haven't compiled it (ssh 1.2.27) in the last 2 weeks so I couldn't really tell you what the exact parameter is. Running `sshd -V' or whatever you had to do to get ssh to return a version ('sshd --version'??) should tell you whether or not you compiled it with RSAREF. === Note, mine (was this stock in RedHat 6.1?) is: /usr/bin/ssh -V SSH Version 1.2.26 [i586-unknown-linux], protocol version 1.5. Compiled with RSAREF. === Subject: Re: SSH From: Bernhard Rosenkraenzer <bero@redhat.de> Date: Wed, 19 Jan 2000 18:09:18 +0100 (CET) On Wed, 19 Jan 2000, Michael J. McGillick wrote: > A buddy of mine believes that I'm running an insecure version of SSH. My > current version is: > > ssh-1.2.27-5us > > How do I tell if my version is insecure, Check if it is RSA-enabled and not patched. > and where would I get the latest version from? ftp://ftp.redhat.de/pub/rh-addons/security/ You'll probably want to switch to OpenSSH while you're at it. ===