Bugtraq mailing list archives
Re: SSH1 vulnerability ?
From: Markus Friedl <Markus.Friedl () INFORMATIK UNI-ERLANGEN DE>
Date: Sun, 11 Feb 2001 13:15:09 +0100
Tatu Ylonen wrote:
It's real enough for most vendors to respond. I think you want to make sure your servers have at least 1.2.30/2.4.0 or openssh 2.3.0p1 at this point.well, 1.2.30 does not contain a fix for this problem.No, but the current version is ssh-2.4.0, which does not suffer from this problem at all.
Well, you have to be very careful. This is only true if ssh-2.4.0 has fallback to ssh1 disabled and since the posting says "1.2.30/2.4.0" it implies that ssh1 support is enabled. So I'd like to point out again that: 1) ssh-2.4.0 is vulnerable iff fallback to ssh1 is enabled (unless if falls back to openssh-2.3.0p1, but I assume that this is very unlikely). 2) openssh-2.3.0p1 is _not_ vulnerable at all. Note that it's not unlikely that ssh-2.x installations have ssh1 fallback _enabled_ (> 50% in the network I did check). -m
Current thread:
- Re: SSH1 vulnerability ? Tatu Ylonen (Feb 10)
- Re: SSH1 vulnerability ? Peter van Dijk (Feb 12)
- <Possible follow-ups>
- Re: SSH1 vulnerability ? Markus Friedl (Feb 12)
- Re: SSH1 vulnerability ? Frank Cusack (Feb 14)