Re: openssh packages not vulnerable
Paul Baker [EMAIL PROTECTED] writes: So as it turns out, AFAIK, none of the versions of OpenSSH in Debian were actually vulnerable to the exploit found by ISS and reported in DSA-134 The 3.3p1 packages are vulnerable in some configurations. :-( -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: openssh packages not vulnerable
Note that Potato users actually BECAME vulnerable by installing this security fix. On Thu, 27 Jun 2002, Florian Weimer wrote: Paul Baker [EMAIL PROTECTED] writes: So as it turns out, AFAIK, none of the versions of OpenSSH in Debian were actually vulnerable to the exploit found by ISS and reported in DSA-134 The 3.3p1 packages are vulnerable in some configurations. :-( -- Customer: I'm running Windows '98 Tech: Yes. Customer: My computer isn't working now. Tech: Yes, you said that. Who is John Galt? [EMAIL PROTECTED], that's who! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
openssh packages not vulnerable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 So as it turns out, AFAIK, none of the versions of OpenSSH in Debian were actually vulnerable to the exploit found by ISS and reported in DSA-134 Potato wasn't vulnerable because it is SSH1 only, and the problem lies in the ChallengeResponseAuthentication feature that only exists in the SSH2 protocol. Also in order to be vulnerable, either S/KEY or BSD_AUTH authentication mechanism needed to be enabled at compile time. The woody/sid packages do not enable either of these features. So what it all boils down to is that at no time was Debian vulnerable to this problem. I'm curious what recourse Debian is planning to take now? Perhaps removing the buggy OpenSSH 3.3 packages off of security.debian.org so people don't upgrade to it since it's not at all necessary and it will only cause problems like screwing up compression and pam. - -- Paul Baker They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759 GPG Key: http://homepage.mac.com/pauljbaker/public.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (Darwin) Comment: For info see http://www.gnupg.org iD8DBQE9GheLoxmRVfL3nlsRAmM4AJ9mBv0mgZhEqW/Duzoj5SUQw4UewACeICe+ I6wH9uksQP9RJMpZk5YNqQc= =jknM -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: openssh packages not vulnerable
On Wed, Jun 26, 2002 at 02:35:21PM -0500, Paul Baker wrote: I'm curious what recourse Debian is planning to take now? Perhaps removing the buggy OpenSSH 3.3 packages off of security.debian.org so people don't upgrade to it since it's not at all necessary and it will only cause problems like screwing up compression and pam. And does anyone have any advice for people in my situation? Yesterday we upgraded 60some Debian 2.2 boxes to the new 3.3 packages. I would actualy like to have 3.4 packages. But should I just downgrade to what we had before? Thanks :) -- -tcole -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: openssh packages not vulnerable
On Wed, 26 Jun 2002, Paul Baker wrote: I'm curious what recourse Debian is planning to take now? Perhaps removing the buggy OpenSSH 3.3 packages off of security.debian.org so people don't upgrade to it since it's not at all necessary and it will only cause problems like screwing up compression and pam. Even worse, on 2.0.x kernels PrivilegeSeparation doesn't work, rendinging sshd useless for interactive sessions or make it vurneble is you disable it. [RicV] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: openssh packages not vulnerable
On Wednesday, June 26, 2002, at 03:50 PM, Richard wrote: Even worse, on 2.0.x kernels PrivilegeSeparation doesn't work, rendinging sshd useless for interactive sessions or make it vurneble is you disable it. All debian versions of ssh packages are not vulnerable, AFAIK. I'm hoping the security team will make an official announcement. -- Paul Baker They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759 GPG Key: http://homepage.mac.com/pauljbaker/public.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]