Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0

From: Marcus Meissner <mm () ns caldera de>
Date: Sun, 22 Jul 2001 00:48:58 +0200
In article <FNEKKFMHLBAMAHPEHBLMCEAGCAAA.customer.service () ssh com> you wrote:

Dear Secure Shell Community,



A potential remote root exploit has been discovered 
in SSH Secure Shell 3.0.0, for Unix only, concerning 
accounts with password fields consisting of two or 
fewer characters. Unauthorized users could potentially 
log in to these accounts using any password, including 
an empty password.  This affects SSH Secure Shell 3.0.0
for Unix only.  This is a problem with password 
authentication to the sshd2 daemon.  The SSH Secure 
Shell client binaries (located by default in 
/usr/local/bin) are not affected.   



SSH Secure Shell 3.0.1 fixes this problem.
...
... Vulnerable ...
...
Caldera Linux 2.4 



Caldera is not shipping the commercial version of SSH in its Linux
distribtuins and so is NOT vulnerable except in cases where the
administrator installed the commercial version of SSH.

We are instead providing OpenSSH version 2.9p2 for all supported platforms,
which is not affected by above flaw.

Ciao, Marcus
-- 
      _____     ___
     /  __/____/  /                Caldera (Deutschland) GmbH
    /  /_/ __  / /__          Naegelsbachstr. 49c, 91052 Erlangen
   /_____//_/ /____/       Dipl. Inf. Marcus Meissner, email: mm () caldera de
  ==== /_____/ ======    phone: ++49 9131 7912-300, fax: ++49 9131 7192-399
   Caldera OpenLinux
Previous By Date Next
Previous By Thread Next

Current thread: