Trond Eivind Glomsrød escribió:
>
> [EMAIL PROTECTED] (Trond Eivind Glomsrød) writes:
>
> > [EMAIL PROTECTED] (Mike Burger) writes:
> >
> > > Does anyone know if the currently available openssh rpms contain the latest
> > > vulnerability listed in today's CERT advisory?
> >
> > They do. The advisory is mainly concerned with ssh (the nonfree
> > version) anyway, the holes fixed in openssh have been very limited.
>
> Sorry, to clarify: They contain the latest fixes. There aren't known
> security problems with them.
>
that is not really true. The main problem with ssh is with ssh1
version. This protocol is insecure by itself so you don't have to use
it. Opennssh distributed with redhat is configured to use ssh2 by
default, but it still can use ssh1 if you have an ssh1 client, so you
have the problem. You have to configure openssh not to use ss1 by using
the clause:
Protocol 2
in sshd_config (by default, this variable takes de value "2,1" so it
istill uses ssh1).
This way, your openssh in unvulnerable.
--
Angel L. Mateo
Redes y Comunicaciones - ATICA Tfo: +34 968 367590
Universidad de Murcia Fax: +34 968 363389
Edificio D, Campus de Espinardo
CP: 30100, Murcia
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
