This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Subject: Re: SSH
From: "Michael H. Warfield" <mhw@wittsend.com>
Date: Wed, 19 Jan 2000 12:18:08 -0500
On Wed, Jan 19, 2000 at 12:53:58PM -0500, Michael J. McGillick wrote:
> Afternoon Everyone:
> A buddy of mine believes that I'm running an insecure version of SSH. My
> current version is:
> ssh-1.2.27-5us
Possibly so...
If that implies that you are running the US version of ssh 1.2.27
which includes RSAREF2, then yes, you are running an insecure version
due to two buffer overflow problems, one in the rsaglue routines used
to shim RSAREF2 into ssh and the other in RSAREF2 itself.
> How do I tell if my version is insecure, and where would I get the latest
> version from?
I'm unaware that there has been an official "fix" for ssh-1.2.27.
I would love to be proven wrong on that, but I've heard nothing. There are
some "unoffical" patches out there. One fixes the rsaglue problem and
RSA has "blessed" a patch to RSAREF2 to address the other. I have neither.
It is possible that the "27-5" may incorporate those patches, but I really
don't think I would trust it.
I have switched over to OpenSSH <www.openssh.org>. It's not
subject to these problems.
You can also switch to the International version of ssh which
uses the International version of the RSA libraries. If you are in the
US, that violates the RSA patent until it expires in October.
===
Subject: Re: SSH
From: Mike Cathey <pointer@vol.com>
Date: Wed, 19 Jan 2000 12:36:53 -0500
Dear Sirs;
Your box is only vulnerable IF and ONLY IF you compiled ssh with the
RSAREF option. You would have had to run './configure --with-RSAREF' or
something along those lines. I haven't compiled it (ssh 1.2.27) in the last 2
weeks so I couldn't really tell you what the exact parameter is. Running
`sshd -V' or whatever you had to do to get ssh to return a version ('sshd
--version'??) should tell you whether or not you compiled it with RSAREF.
===
Note, mine (was this stock in RedHat 6.1?) is:
/usr/bin/ssh -V
SSH Version 1.2.26 [i586-unknown-linux], protocol version
1.5.
Compiled with RSAREF.
===
Subject: Re: SSH
From: Bernhard Rosenkraenzer <bero@redhat.de>
Date: Wed, 19 Jan 2000 18:09:18 +0100 (CET)
On Wed, 19 Jan 2000, Michael J. McGillick wrote:
> A buddy of mine believes that I'm running an insecure version of SSH. My
> current version is:
>
> ssh-1.2.27-5us
>
> How do I tell if my version is insecure,
Check if it is RSA-enabled and not patched.
> and where would I get the latest version from?
ftp://ftp.redhat.de/pub/rh-addons/security/
You'll probably want to switch to OpenSSH while you're at it.
===