-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What about 2.9? - -----Original Message----- From: Thomas Roessler [mailto:[EMAIL PROTECTED]] Sent: Monday, July 23, 2001 11:42 AM To: Florian Weimer Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 On 2001-07-22 10:03:31 +0200, Florian Weimer wrote: >A quick glance at the source code suggests that SSH 2.3.0 and >2.4.0 have the same problem. Is this true? I suppose we are talking about this section of ssh 2.4.0's sshunixuser.c: 940 941 /* Authentication is accepted if the encrypted passwords are identical. */ 942 #ifdef HAVE_HPUX_TCB_AUTH 943 return strncmp(encrypted_password, correct_passwd, 944 strlen(correct_passwd)) == 0; 945 #else /* HAVE_HPUX_TCB_AUTH */ 946 return strcmp(encrypted_password, correct_passwd) == 0; 947 #endif /* HAVE_HPUX_TCB_AUTH */ If I read this correctly, it's certainly not a problem unless ssh is compiled with HAVE_HPUX_TCB_AUTH defined. In that case, it may or may not be a problem. - -- Thomas Roessler http://log.does-not-exist.org/ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO1x4RXuovSIevPCzEQJgrACg7nG4kHVms/VV/fjKZPcT9OV0JRIAn2pG Aqs6zdkLUaAYXceFoA3ydrLI =8e4m -----END PGP SIGNATURE-----
- Re: URGENT SECURITY ADVISORY FOR SSH SEC... Nate Eldredge
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE ... Brandon S. Allbery KF8NH
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL... Michal Zalewski
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE ... j
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE ... Trond Eivind Glomsr�d
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL... Jen B.
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL... Marcus Meissner
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL... Florian Weimer
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE ... Thomas Roessler
- Re: URGENT SECURITY ADVISORY FOR SSH SEC... Lucian Hudin
- Re: URGENT SECURITY ADVISORY FOR SSH SEC... Sports
- Re: URGENT SECURITY ADVISORY FOR SSH... Seth Arnold
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL... Marcin Zurakowski
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE ... Brian Carpio
- Re: URGENT SECURITY ADVISORY FOR SSH SEC... Stephanie Thomas
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL... Jaime BENJUMEA
- RE: URGENT SECURITY ADVISORY FOR SSH SECURE ... Jonathan A. Zdziarski
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL... Roman Drahtmueller
- RE: URGENT SECURITY ADVISORY FOR SSH SECURE ... Stephanie Thomas
- RE: URGENT SECURITY ADVISORY FOR SSH SEC... Emre Yildirim
- RE: URGENT SECURITY ADVISORY FOR SSH... Stephanie Thomas
