On Tue, Dec 17, 2002 at 12:02:57PM +0000, Andrew Mulholland wrote: > On Tue, 2002-12-17 at 10:05, Adrian 'Dagurashibanipal' von Bidder wrote: > > > > Well, SSH1 is still vulnerable. It's nothing to do with the current > > advisory. So the advice not to run SSH1 is still valid. > > > > does this affect the ssh1 option in OpenSSH? > (as in on a woody/sarge box, running OpenSSH, if I've the ssh1 option > enabled, am I vulnerable? :)
The CERT Vulnerability Note is number VU#945216, and can be accessed here[1]. Basically, this vulnerability is in the code that checks for the CRC32 attack. It suffers from an integer overflow. According to the note, SSH1 in Debian is vulnerable. The last date they checked was December 13, 2001. However, according to OpenSSH's security page[2], only versions of OpenSSH before 2.3.0 are vulnerable. Woody ships with 3.4p1, however, unless there is no way around it, you should restrict access to your SSH daemon to hosts that you know are safe, and you should disable SSH1. If you are going to be setting up a new SSH server soon, now would be a good time to make the change. Also, according to the previous vulnerability from December 16, those of you using PuTTY to access your SSH accounts might want to think about upgrading as PuTTY versions less than 0.53b are vulnerable to the same type of attack. They are available from PuTTY's website[3]. [1] http://www.kb.cert.org/vuls/id/945216 [2] http://www.openssh.com/security.html [3] http://www.chiark.greenend.org.uk/~sgtatham/putty/ -- Edward Guldemond
pgpENt1slJHKw.pgp
Description: PGP signature
