Bugtraq mailing list archives
Re: Kerberos security vulnerability in SSH-1.2.27
From: jts28 () CORNELL EDU (Schlachter, Jake)
Date: Wed, 5 Jul 2000 08:44:15 -0400
Just posting to note that there is indeed a ssh-1.2.28 release, but lo! also a 1.2.29. The .28 release's ChangeLog is identical to the old .27, but the .29 lists the Kerberos fix, as well as... an update to the License. It appears that 1.2.29 (and, likely, following 1.x versions) will now be governed by the much more strict Version 2.x license. This means that unless you are a student who does not actually use ssh, you will most likely be paying for it. ssh has quite a large following, and it is my understanding that SSH Communications Security tried changing the 1.x license once before, but a massive negative community action stayed their hand. Options: qualify under the new lower wire, buy a commercial license, use an old version, switch to OpenSSH or another variant, or perhaps, by speaking with the voice of community, remind SSH of the intangible benefits of being part of that community... Question for the Group: isn't the version 1.x license the only reason for the 1.5 protocol's continued use? (aside from compatibility reasons, which could probably be cleaned up were it not for the ver 2.x license) Regards, jts28
Current thread:
- Kerberos security vulnerability in SSH-1.2.27 Richard E. Silverman (Jun 30)
- Re: Kerberos security vulnerability in SSH-1.2.27 Carson Gaspar (Jul 02)
- Re: Kerberos security vulnerability in SSH-1.2.27 Dug Song (Jul 06)
- [RHSA-2000:041-02] man package's 'makewhatis' uses insecure handling of files in /tmp bugzilla () REDHAT COM (Jul 03)
- Re: Kerberos security vulnerability in SSH-1.2.27 Schlachter, Jake (Jul 05)
- Re: Kerberos security vulnerability in SSH-1.2.27 Atro Tossavainen (Jul 06)
- <Possible follow-ups>
- Re: Kerberos security vulnerability in SSH-1.2.27 anne () SSH COM (Jul 07)
- Re: Kerberos security vulnerability in SSH-1.2.27 Carson Gaspar (Jul 02)