"Ronald J. Yacketta" wrote:
>
> Michael Flaig wrote:
> >
> > Hello !
> > How can I get SSH for Mandrake 6.1 ?
> > It is needed for Servers ... to get Access from some remote stations ...
> >
> > It is not delivered with the Mandrake GPL Distribution ...
> > I can�t find it ...
The versions of ssh currently on the ftp and download sites
is the old 1.2.27. This version has a newly discovered
bug in the RSAREF2 module which leaves your computer wide
open to hackers to execute root code.
The 1.2.28 version should be released soon to cover this
security hole. It would also be possible to get the
1.2.27 version in source form and do the security patch
and then reinstall.
ssh 2.x is not affected.
I am not sure what the effect would be of getting the present
1.2.27 source RPM and rebuilding it with rsaref disabled. It
may not work, but I would like to hear from people about this.
I think if you are going to rebuild rpm's, it should be fairly
trivial to get the source rpm, do the patch, and then rebuild
the rpm to something like ssh-1.2.27-rsaref-good-mdk-i586.rpm
or something like that. I have not investigated this too
deeply yet.
The CERT advisory on ssh 1.2.27 and prior just came out this
week on Wednesday. Its a critical security hole if you have
your /etc/hosts.deny and /etc/hosts.allow files set up to
allow global ssh logins (most are, and is the default in that
ssh is not mentioned in those files, leaving them wide open).
I was just on the Freshmeat and the www.ssh.org sites today,
Saturday Dec 18, and so far ALL versions there are the
vulnerable ones with no patches done yet.
--
Ramon Gandia ============= Sysadmin ============== Nook Net
http://www.nook.net [EMAIL PROTECTED]
285 West First Avenue tel. 907-443-7575
P.O. Box 970 fax. 907-443-2487
Nome, Alaska 99762-0970 ==== Alaska Toll Free. 888-443-7525
