Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0

[Stephanie Thomas <customer.service () ssh com>]

Hi Brian, et. al.,

Actually, this statement:

> If you didn't pay for it then you are OK!!

is not true.  SSH Communications Security provides 
SSH Secure Shell for non-commercial / educational 
use, and commercial use on the free operating systems
(Linux / BSDs), free of charge.

Those non-commercial users of SSH Secure Shell 3.0 
(who didn't pay for it) are still vulnerable.

If you are using SSH Secure Shell 3.0, whether you
paid for it or not, please upgrade ASAP.  Non-commercial
/ education users can locate the upgrade at:

ftp://ftp.ssh.com/pub/ssh

Best Regards,

Steph

-- 
*********************************
Stephanie Thomas
Technical Support Specialist
SSH Secure Shell
GIAC Certified
Unix Security Administrator
SSH Communications Security Inc.
http://www.ssh.com/support/ssh
*********************************


Brian Carpio wrote:
> OpenSSH is not vulnerable at all weather or not you use PAM.. this is SSH
> the commercial Version.
>
> If you didn't pay for it then you are OK!!
>
> --------------
> Brian Carpio
> CSG Systems Inc.
> Open Systems Unix System Admin
>
> x3317
> --------------
>
> --- Security is a Process NOT a Product ----
>
> On Sat, 21 Jul 2001, Marcin Zurakowski wrote:
>
> > On Fri, 20 Jul 2001, Stephanie Thomas wrote:
> >
> > > an empty password.  This affects SSH Secure Shell 3.0.0
> >
> > I guess openssh with pam support is not vulnerable??
> >
> > --
> >
> > Marcin Zurakowski
> >
> > InterFirma Administrator

-- 
*********************************
Please note that for support cases,
if I have not heard otherwise within five
business days, I will assume that your issue
is resolved.

Stephanie Thomas
Technical Support Specialist
SSH Secure Shell
GIAC Certified
Unix Security Administrator
SSH Communications Security Inc.
http://www.ssh.com/support/ssh
*********************************