On Fri, Dec 14, 2001 at 03:54:59PM +0100, Philipp Haeuser wrote: > Is ssh2 2.0.13-6 (the debian/unstable package from packages.debian.org) > vulnerable to the crc32 compensation attack described here ? > > http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
This issue only applies to ssh protocol v1. The above page says: <quote> ** Not vulnerable: SSH2 (ssh.com): all 2.x releases NOTE: SSH2 installations with SSH1 fallback support are vulnerable </quote> This problem did exist in ssh-nonfree in unstable, and was fixed in 1.2.27-8. > How about the ssh 1:1.2.3-9.3 and ssh-nonfree 1.2.27-6.1 packages > (debian/stable from packages.debian.org), are they safe regarding this > attack? The stable version of OpenSSH (ssh) was fixed in February, see DSA-027-1: http://www.debian.org/security/2001/dsa-027 The stable version of ssh-nonfree has recently been patched to fix the vulnerability, see DSA-086-1: http://www.debian.org/security/2001/dsa-086 -- - mdz
pgpMxszVUc73S.pgp
Description: PGP signature
