Bugtraq mailing list archives
Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7)
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Sat, 13 Nov 1999 20:18:27 -0700
There appears to be a serious vulnerability in ssh 1.2.27. I will let the folks who worked on this issue describe. There was brief discussion on vuln-dev on the politics of ssh 1 vs. ssh 2, etc... you may or may not want to play that out on Bugtraq. One of the key points of the SSH 1 vs. SSH 2 debate is regarding licensing. Basically, because of a less strict license on SSH 1, more folks are likely to be running that version. (This is all referring to the Datafellows implementation that everyone uses, rather than standards and protocols, I presume.)
The upcoming OpenBSD 2.6 release contains/includes an ssh implimentation which is derived from an earlier ssh 1 (and thus has no Datafellows licencing issues). We are calling this ssh by the name "OpenSSH". Anyways, in the process of rewriting parts of ssh, the OpenSSH developers accidentally fixed this bug. Whoops! :-) So when the OpenBSD 2.6 release finally comes out (about 10 days from now?), I hope that this pre-announcement will stop us from being flooded with questions about this particular problem.....
Current thread:
- ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Blue Boar (Nov 13)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Theo de Raadt (Nov 13)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Szilveszter Adam (Nov 14)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Brian Fundakowski Feldman (Nov 14)
- BIND 8.2.2-P5 release announcement Roger Fajman (Nov 13)
- <Possible follow-ups>
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Oystein Viggen (Nov 16)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Daniel Jacobowitz (Nov 16)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Jochen Bauer (Nov 16)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Nick Craig-Wood (Nov 18)
- ProFTPd - mod_sqlpw.c Todd C. Campbell (Nov 19)
- Pandora v4 Beta 2 Software Simple Nomad (Nov 19)
- Remote D.o.S Attack in G6 FTP Server v2.0 (beta 4/5) Vulnerability Ussr Labs (Nov 16)
(Thread continues...)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Theo de Raadt (Nov 13)