RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0

[Sports]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What about 2.9?

- -----Original Message-----
From: Thomas Roessler [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 23, 2001 11:42 AM
To: Florian Weimer
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0


On 2001-07-22 10:03:31 +0200, Florian Weimer wrote:

>A quick glance at the source code suggests that SSH 2.3.0 and 
>2.4.0 have the same problem.  Is this true?

I suppose we are talking about this section of ssh 2.4.0's
sshunixuser.c:

   940
   941    /* Authentication is accepted if the encrypted passwords are
identical. */
   942  #ifdef HAVE_HPUX_TCB_AUTH
   943    return strncmp(encrypted_password, correct_passwd,
   944                   strlen(correct_passwd)) == 0;
   945  #else /* HAVE_HPUX_TCB_AUTH */
   946    return strcmp(encrypted_password, correct_passwd) == 0;
   947  #endif /* HAVE_HPUX_TCB_AUTH */

If I read this correctly, it's certainly not a problem unless ssh is 
compiled with HAVE_HPUX_TCB_AUTH defined.  In that case, it may or 
may not be a problem.

- -- 
Thomas Roessler                        http://log.does-not-exist.org/

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO1x4RXuovSIevPCzEQJgrACg7nG4kHVms/VV/fjKZPcT9OV0JRIAn2pG
Aqs6zdkLUaAYXceFoA3ydrLI
=8e4m
-----END PGP SIGNATURE-----