Re: Which ssh should I have?

It seems that this discussion has been due to an over-zealous sysadmin. If one will check the Nessus documentation (mailing lists), such "false positives" have been throughly debated. Many of the scan scripts (nasl plugins) only check version numbers. Owing to this paradigm, nessus outputs warni

Re: Which ssh should I have?

It seems that this discussion has been due to an over-zealous sysadmin. If one will check the Nessus documentation (mailing lists), such "false positives" have been throughly debated. Many of the scan scripts (nasl plugins) only check version numbers. Owing to this paradigm, nessus outputs warn

Re: Which ssh should I have?

* Ethan Benson <[EMAIL PROTECTED]> [011109 16:41]: > > Is there any harm from installing ssh from woody on potato? This > > does > > not apply in my case, but I'd like to know. > > you can't, the dependencies will drag in half of woody. I suspected that, and suggested to a friend of mine to upgrad

Re: Which ssh should I have?

On Fri, Nov 09, 2001 at 11:26:49AM +0100, Ville Uski wrote: > > Is there any harm from installing ssh from woody on potato? This does > not apply in my case, but I'd like to know. you can't, the dependencies will drag in half of woody. you can backport the woody ssh packages to potato however.

Re: Which ssh should I have?

* Ethan Benson <[EMAIL PROTECTED]> [011109 16:41]: > > Is there any harm from installing ssh from woody on potato? This > > does > > not apply in my case, but I'd like to know. > > you can't, the dependencies will drag in half of woody. I suspected that, and suggested to a friend of mine to upgra

Re: Which ssh should I have?

On Fri, Nov 09, 2001 at 11:26:49AM +0100, Ville Uski wrote: > Is there any harm from installing ssh from woody on potato? This does > not apply in my case, but I'd like to know. No harm beyond getting it built right (no binary installs from woody/sid into potato), and realizing that security.debi

Re: Which ssh should I have?

On Fri, Nov 09, 2001 at 11:26:49AM +0100, Ville Uski wrote: > > Is there any harm from installing ssh from woody on potato? This does > not apply in my case, but I'd like to know. you can't, the dependencies will drag in half of woody. you can backport the woody ssh packages to potato however.

Re: Which ssh should I have?

On Fri, Nov 09, 2001 at 11:26:49AM +0100, Ville Uski wrote: > Is there any harm from installing ssh from woody on potato? This does > not apply in my case, but I'd like to know. No harm beyond getting it built right (no binary installs from woody/sid into potato), and realizing that security.deb

Re: Which ssh should I have?

* NOKUBI Takatsugu <[EMAIL PROTECTED]> [011109 09:53]: > >> Vender Status Date updated > >> Debian Vulnerable 2-Nov-2001 > > OpenSSH on Debian is right, but ssh-nonfree is still vulnerable. > See http://bugs.debian.org/85725 It seems that some people think that even ssh in potato is unsafe. The l

Re: Which ssh should I have?

In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes: >> CERT tells me Debian potato is vulnerable. We might want to correct them >> if they are wong. >> >> http://www.cert.org/incident_notes/IN-2001-12.html >> http://www.kb.cert.org/vuls/id/945216 >> tells me: >> >> Vender Status Date update

Re: Which ssh should I have?

* NOKUBI Takatsugu <[EMAIL PROTECTED]> [011109 09:53]: > >> Vender Status Date updated > >> Debian Vulnerable 2-Nov-2001 > > OpenSSH on Debian is right, but ssh-nonfree is still vulnerable. > See http://bugs.debian.org/85725 It seems that some people think that even ssh in potato is unsafe. The

Re: Which ssh should I have?

In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes: >> CERT tells me Debian potato is vulnerable. We might want to correct them >> if they are wong. >> >> http://www.cert.org/incident_notes/IN-2001-12.html >> http://www.kb.cert.org/vuls/id/945216 >> tells me: >> >> Vender Status Date updat

Re: Which ssh should I have?

Wichert Akkerman <[EMAIL PROTECTED]> immo vero scripsit > That's because nessus only checks the version number, and since we > backported the patch we still have the old version number even though > we are safe. CERT tells me Debian potato is vulnerable. We might want to correct them if they are

Re: Which ssh should I have?

Wichert Akkerman <[EMAIL PROTECTED]> immo vero scripsit > That's because nessus only checks the version number, and since we > backported the patch we still have the old version number even though > we are safe. CERT tells me Debian potato is vulnerable. We might want to correct them if they are

Re: Which ssh should I have?

* Wichert Akkerman <[EMAIL PROTECTED]> [011107 18:54]: > That's because nessus only checks the version number, and since we > backported the patch we still have the old version number even though > we are safe. This also occurred to me, but appeared too trivial a solution... Well, I guess that's i

Re: Which ssh should I have?

Quoting Ted Cabeen ([EMAIL PROTECTED]): > >Hm, why should I do that? Is my admin right when he thinks that my > >current sshd is vulnerable? I have the latest stable precompiled > >package, i.e. the default ssh installed. > > Make sure that you have the security site in your /etc/apt/sources.list

Re: Which ssh should I have?

Previously Ville Uski wrote: > Thanks for info. Yes, I have that line in my sources.list, and I also > believe I am fine. Our network admin used the nessus ssh plugin to scan > the network. He only says that nessus gives a warning about my computer > (concerning the crc bug) and knows nothing more

Re: Which ssh should I have?

* Ted Cabeen <[EMAIL PROTECTED]> [011107 18:11]: > Make sure that you have the security site in your > /etc/apt/sources.list file. If you do, and apt-get update; apt-get > upgrade says you're up to date, then you're fine. In general, the > security team patches the current version to fix security

Re: Which ssh should I have?

In message <[EMAIL PROTECTED]>, Ville Uski writes: >* jigal <[EMAIL PROTECTED]> [011107 14:20]: >> But I found this in the archives of the security mailinglist: >> http://lists.debian.org/debian-security/2001/debian-security-200102/msg00138 >.html >> >> The previous mail in the thread references t

Re: Which ssh should I have?

* Wichert Akkerman <[EMAIL PROTECTED]> [011107 18:54]: > That's because nessus only checks the version number, and since we > backported the patch we still have the old version number even though > we are safe. This also occurred to me, but appeared too trivial a solution... Well, I guess that's

Re: Which ssh should I have?

Previously Ville Uski wrote: > Thanks for info. Yes, I have that line in my sources.list, and I also > believe I am fine. Our network admin used the nessus ssh plugin to scan > the network. He only says that nessus gives a warning about my computer > (concerning the crc bug) and knows nothing mor

Re: Which ssh should I have?

Quoting Ted Cabeen ([EMAIL PROTECTED]): > >Hm, why should I do that? Is my admin right when he thinks that my > >current sshd is vulnerable? I have the latest stable precompiled > >package, i.e. the default ssh installed. > > Make sure that you have the security site in your /etc/apt/sources.lis

Re: Which ssh should I have?

* Ted Cabeen <[EMAIL PROTECTED]> [011107 18:11]: > Make sure that you have the security site in your > /etc/apt/sources.list file. If you do, and apt-get update; apt-get > upgrade says you're up to date, then you're fine. In general, the > security team patches the current version to fix securit

Re: Which ssh should I have?

In message <[EMAIL PROTECTED]>, Ville Uski writes: >* jigal <[EMAIL PROTECTED]> [011107 14:20]: >> But I found this in the archives of the security mailinglist: >> http://lists.debian.org/debian-security/2001/debian-security-200102/msg00138 >.html >> >> The previous mail in the thread references

Re: Which ssh should I have?

* jigal <[EMAIL PROTECTED]> [011107 14:20]: > But I found this in the archives of the security mailinglist: > http://lists.debian.org/debian-security/2001/debian-security-200102/msg00138.html > > The previous mail in the thread references to: > http://razor.bindview.com/publish/advisories/adv_ssh1

Re: Which ssh should I have?

On Wed, 07 Nov 2001, jigal wrote: > Here you find a reference to the vuln, fixed. > http://www.debian.org/security/2001/dsa-027 I am sorry I found by reading it again it doesn't mention it. But I found this in the archives of the security mailinglist: http://lists.debian.org/debian-security/20

Re: Which ssh should I have?

On Wed, 07 Nov 2001, Ville Uski wrote: > The ssh package I currently have is ssh_1.2.3-9.3_i386.deb. > > I have understood that the crc32 bug was already found in February so I > find it hard to believe that it's not already fixed on debian (I'm > running woody on a laptop PC). I should have all

RE: Which ssh should I have?

: Re: Which ssh should I have? > > > Where can I get the opensource ssh? > > tks > > On Wed, 07 Nov 2001, Ville Uski wrote: > > Hi, > > > > I just joined the list after the admin of the network in my house had > > complained that sshd running in my computer

Re: Which ssh should I have?

Where can I get the opensource ssh? tks On Wed, 07 Nov 2001, Ville Uski wrote: > Hi, > > I just joined the list after the admin of the network in my house had > complained that sshd running in my computer is "remotely exploitable". I > asked for more details and he only said it's the bug in the

Which ssh should I have?

Hi, I just joined the list after the admin of the network in my house had complained that sshd running in my computer is "remotely exploitable". I asked for more details and he only said it's the bug in the crc32 bit. He also told me to install the newest version of openssh. The problem is now whi

Re: Which ssh should I have?

* jigal <[EMAIL PROTECTED]> [011107 14:20]: > But I found this in the archives of the security mailinglist: > http://lists.debian.org/debian-security/2001/debian-security-200102/msg00138.html > > The previous mail in the thread references to: > http://razor.bindview.com/publish/advisories/adv_ssh

Re: Which ssh should I have?

On Wed, 07 Nov 2001, jigal wrote: > Here you find a reference to the vuln, fixed. > http://www.debian.org/security/2001/dsa-027 I am sorry I found by reading it again it doesn't mention it. But I found this in the archives of the security mailinglist: http://lists.debian.org/debian-security/2

Re: Which ssh should I have?

On Wed, 07 Nov 2001, Ville Uski wrote: > The ssh package I currently have is ssh_1.2.3-9.3_i386.deb. > > I have understood that the crc32 bug was already found in February so I > find it hard to believe that it's not already fixed on debian (I'm > running woody on a laptop PC). I should have al

RE: Which ssh should I have?

Hello, www.freshmeat.net Or if your running debian do an apt-get install ssh (most recommended) Ed > -Original Message- > From: Osvaldo Mundim Junior [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, November 07, 2001 7:47 AM > To: [EMAIL PROTECTED] > Subject: Re: Which ss

Re: Which ssh should I have?

Where can I get the opensource ssh? tks On Wed, 07 Nov 2001, Ville Uski wrote: > Hi, > > I just joined the list after the admin of the network in my house had > complained that sshd running in my computer is "remotely exploitable". I > asked for more details and he only said it's the bug in the

Which ssh should I have?

Hi, I just joined the list after the admin of the network in my house had complained that sshd running in my computer is "remotely exploitable". I asked for more details and he only said it's the bug in the crc32 bit. He also told me to install the newest version of openssh. The problem is now wh