potato not affected by SSH bug (was Re: debian potato's SSH not affected by SSH bug?)
quote who=nate quote who=Phil Brutsche i read the advisory. but I do not think it is complete. well i am pretty much convinced now that debian potato is not vulnerable to this if your running potato's version of OpenSSH. I read a few more advisories, and 2 from openbsd.org mention earlier then openssh2.3.1 is not affected by these specific vulnerabilties. and even in the newer ones its only vulnerable under a specific set of circumstances. and even then only affect SSH protocol 2. hardly the bug it was hyped to be. i guess thats good news though :) as colin(i think) mentioned the older ssh isn't quite as audited, so for some maybe its good to upgrade to 3.4 ..for me though my networks heavily depend on SSH1 +RSA authentication so I won't be deploying the new SSH right away ..i guess it depends on when woody is released. using the new SSH would require a lot of re configuration on several dozen servers, something i want to avoid unless its absolutely needed(or i get a spare weekend, yeah right like that'll happen!) nate (going to go ahead and unfirewall my potato systems tomorrow) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
debian potato's SSH not affected by SSH bug?
i sent a message to bugtraq a couple minutes ago asking the people on the list if any other versions were tested. hoping that it gets approved, usually takes a few hours or a day to make it through. but the way I read the advisory debian potato's SSH should not be vulnerable to this bug. which would be great news to me. the advisory only mentions openssh 3.0 and up being possibly affected. no mention of any other versions being vulnerable or not vulnerable, and no mention of any other versions that were tested. so i'm keepin my hopes up and my firewalls tight in the meantime ! advisory: http://online.securityfocus.com/archive/1/278818/2002-06-23/2002-06-29/0 if anyone has more information on whether or not the older openSSH's are vulnerable please pass it along to me!! thanks nate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: debian potato's SSH not affected by SSH bug?
nate wrote: i sent a message to bugtraq a couple minutes ago asking the people on the list if any other versions were tested. hoping that it gets approved, usually takes a few hours or a day to make it through. but the way I read the advisory debian potato's SSH should not be vulnerable to this bug. which would be great news to me. the advisory only mentions openssh 3.0 and up being possibly affected. no mention of any other versions being vulnerable or not vulnerable, and no mention of any other versions that were tested. so i'm keepin my hopes up and my firewalls tight in the meantime ! No, potato's ssh packages are vunlerable and updates have been made available; DSA-134 contains all the necessary information: http://www.debian.org/security/2002/dsa-134. Note that the upgraded openssh packages require update openssl packages; it looks like the new openssl packages will co-exist with the older version that shipped with potato, but I no longer have any potato systems so YMMV. Phil ps: it's great to be back on debian-user once again! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: debian potato's SSH not affected by SSH bug?
quote who=Phil Brutsche No, potato's ssh packages are vunlerable and updates have been made available; DSA-134 contains all the necessary information: http://www.debian.org/security/2002/dsa-134. Note that the upgraded openssh packages require update openssl packages; it looks like the new openssl packages will co-exist with the older version that shipped with potato, but I no longer have any potato systems so YMMV. i read the advisory. but I do not think it is complete. the way i read it is: 'we were not given any information on what this vulnerability involves so we have no way of investingating whether or not we are vulnerable, all we were told is this version fixes this problem so here it is, use at your own risk it hasn't been heavily tested, we are putting it out just incase' I get that from this quote of the advisory: Since details of the problem have not been released we were forced to move to the latest release of OpenSSH portable, version 3.3p1. as i just got finished discussing this with a co worker, I also point out that the ISS advisory SPECIFICALLY mentions SSH2 protocol which Debian potato does not support, and it also SPECIFICALLY mentions several things in openssh3 which from what i can see are also not supported in Openssh 1.2.3 maybe the advisory is bad, maybe i am too optimistic, but i still want hard evidence that openssh 1.2.3 is vulnerable before i upgrade a network of servers 2 full major version numbers to ssh3(currently i have them firewalled). everything I have seen to-date says openssh 3.0 and up is vulnerable. no mention of earlier versions specifically being marked as being vulnerable nor are there any mention of older versions specfically being tested for this vulnerability. if you or others have more info please pass it along, i am reading every post on the subject on bugtraq and vuln-dev mailinglists as well as the advisories being put out by vendors. there is a scanner, however I am hesitant to download it, many scanners attempt to determine if a system is vulnerable soley by the version of the software the system is running, and does not actually determine whether the system is vulnerable. nate (hopefull optimistic that debian is not vulnerable) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: debian potato's SSH not affected by SSH bug?
On Wed, Jun 26, 2002 at 01:58:29PM -0500, Phil Brutsche wrote: No, potato's ssh packages are vunlerable and updates have been made available; DSA-134 contains all the necessary information: http://www.debian.org/security/2002/dsa-134. That advisory predates the release of full information on the exploit. At the time it was released, the openssh group had not yet stated that the vulnerability was dependent upon having certain versions of ssh built with certain options enabled. Would the security team please issue an official update to the advisory indicating whether, now that further information on the vulnerability has been released, existing (pre-3.3) debian ssh packages are believed to be affected? -- When we reduce our own liberties to stop terrorism, the terrorists have already won. - reverius Innocence is no protection when governments go bad. - Tom Swiss -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: debian potato's SSH not affected by SSH bug?
On Wed, Jun 26, 2002 at 02:10:58PM -0500, Dave Sherohman wrote: Would the security team please issue an official update to the advisory indicating whether, now that further information on the vulnerability has been released, existing (pre-3.3) debian ssh packages are believed to be affected? I think it's safe to say that there will be more information from the security team as more information becomes clear. While my understanding is that at least OpenSSH 3.0.2 in woody/sid was not affected by the specific vulnerability that was announced today, it's not yet obvious that only one vulnerability was involved, and, let's face it, Debian has not exactly had the benefit of lots of advance information up to now. In these circumstances, don't expect the security team to be quick about claiming potato isn't vulnerable. It might be worth considering that updating OpenSSH 1.2.3 was perhaps long overdue anyway: 1.2.3 is very old code and hasn't had a great deal of auditing recently. That's not to say that anyone is pleased about having to push out such a rushed update in a way that skates very close to the edges of how stable is intended to be managed. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: debian potato's SSH not affected by SSH bug?
Phil Brutsche [EMAIL PROTECTED] writes: No, potato's ssh packages are vunlerable and updates have been made available; DSA-134 contains all the necessary information: http://www.debian.org/security/2002/dsa-134. That DSA does not contain all the information currently available, because it was written before the actual problem was known. Theo de Raadt announced that the OpenBSD team is working with ISS to address a remote exploit for OpenSSH (a free implementation of the Secure SHell protocol). They are refusing to provide any details on the vulnerability but instead are advising users to upgrade to the latest release, version 3.3. -- Alan Shutko [EMAIL PROTECTED] - In a variety of flavors! WinErr: 013 Unexpected error - Huh ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]